changeset:   92792:2df4cc31c36e
parent:      92787:d61d2e5a0956
parent:      92791:ec9b7fd246b6
user:        Serhiy Storchaka <storchaka@gmail.com>
date:        Sat Oct 04 14:17:50 2014 +0300
files:       Misc/NEWS Python/codecs.c
description:
Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.


diff -r d61d2e5a0956 -r 2df4cc31c36e Misc/NEWS
--- a/Misc/NEWS	Sat Oct 04 13:42:28 2014 +0300
+++ b/Misc/NEWS	Sat Oct 04 14:17:50 2014 +0300
@@ -10,6 +10,9 @@
 Core and Builtins
 -----------------
 
+- Issue #22518: Fixed integer overflow issues in "backslashreplace",
+  "xmlcharrefreplace", and "surrogatepass" error handlers.
+
 - Issue #22540: speed up `PyObject_IsInstance` and `PyObject_IsSubclass` in the
   common case that the second argument has metaclass `type`.
 
diff -r d61d2e5a0956 -r 2df4cc31c36e Python/codecs.c
--- a/Python/codecs.c	Sat Oct 04 13:42:28 2014 +0300
+++ b/Python/codecs.c	Sat Oct 04 14:17:50 2014 +0300
@@ -773,7 +773,7 @@
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 ch;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -781,6 +781,8 @@
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (2+7+1))
+            end = start + PY_SSIZE_T_MAX / (2+7+1);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             ch = PyUnicode_READ_CHAR(object, i);
@@ -869,7 +871,7 @@
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 c;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -877,6 +879,8 @@
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (1+1+8))
+            end = start + PY_SSIZE_T_MAX / (1+1+8);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             c = PyUnicode_READ_CHAR(object, i);
@@ -1036,6 +1040,8 @@
             return NULL;
         }
 
+        if (end - start > PY_SSIZE_T_MAX / bytelength)
+            end = start + PY_SSIZE_T_MAX / bytelength;
         res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
         if (!res) {
             Py_DECREF(object);