changeset: 92790:3f7519f633ed branch: 2.7 parent: 92785:911da1072099 user: Serhiy Storchaka date: Sat Oct 04 14:14:41 2014 +0300 files: Misc/NEWS Python/codecs.c description: Issue #22518: Fixed integer overflow issues in "backslashreplace" and "xmlcharrefreplace" error handlers. diff -r 911da1072099 -r 3f7519f633ed Misc/NEWS --- a/Misc/NEWS Sat Oct 04 13:39:18 2014 +0300 +++ b/Misc/NEWS Sat Oct 04 14:14:41 2014 +0300 @@ -10,6 +10,9 @@ Core and Builtins ----------------- +- Issue #22518: Fixed integer overflow issues in "backslashreplace" and + "xmlcharrefreplace" error handlers. + - Issue #22526: Fix iterating through files with lines longer than 2^31 bytes. - Issue #22519: Fix overflow checking in PyString_Repr. diff -r 911da1072099 -r 3f7519f633ed Python/codecs.c --- a/Python/codecs.c Sat Oct 04 13:39:18 2014 +0300 +++ b/Python/codecs.c Sat Oct 04 14:14:41 2014 +0300 @@ -558,7 +558,7 @@ Py_UNICODE *startp; Py_UNICODE *e; Py_UNICODE *outp; - int ressize; + Py_ssize_t ressize; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; if (PyUnicodeEncodeError_GetEnd(exc, &end)) @@ -566,6 +566,14 @@ if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; startp = PyUnicode_AS_UNICODE(object); + if (end - start > PY_SSIZE_T_MAX / (2+7+1)) { + end = start + PY_SSIZE_T_MAX / (2+7+1); +#ifndef Py_UNICODE_WIDE + ch = startp[end - 1]; + if (0xD800 <= ch && ch <= 0xDBFF) + end--; +#endif + } e = startp + end; for (p = startp+start, ressize = 0; p < e;) { Py_UCS4 ch = *p++; @@ -675,13 +683,15 @@ Py_UNICODE *p; Py_UNICODE *startp; Py_UNICODE *outp; - int ressize; + Py_ssize_t ressize; if (PyUnicodeEncodeError_GetStart(exc, &start)) return NULL; if (PyUnicodeEncodeError_GetEnd(exc, &end)) return NULL; if (!(object = PyUnicodeEncodeError_GetObject(exc))) return NULL; + if (end - start > PY_SSIZE_T_MAX / (1+1+8)) + end = start + PY_SSIZE_T_MAX / (1+1+8); startp = PyUnicode_AS_UNICODE(object); for (p = startp+start, ressize = 0; p < startp+end; ++p) { #ifdef Py_UNICODE_WIDE