mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-07-19 01:05:26 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

prevent overflow in unicode_repr (closes #22520)

Browse source
This commit is contained in:
Benjamin Peterson 2014-09-29 23:02:15 -04:00
parent bbd0a323ae
commit 736b8012b4
2 changed files with 20 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

3
Misc/NEWS
View file

@ -10,6 +10,9 @@ What's New in Python 3.3.6 release candidate 1?
Core and Builtins Core and Builtins
----------------- -----------------
- Issue #22520: Fix overflow checking when generating the repr of a unicode
object.
- Issue #22519: Fix overflow checking in PyBytes_Repr. - Issue #22519: Fix overflow checking in PyBytes_Repr.
- Issue #22518: Fix integer overflow issues in latin-1 encoding. - Issue #22518: Fix integer overflow issues in latin-1 encoding.

28
Objects/unicodeobject.c
View file

@ -12000,28 +12000,34 @@ unicode_repr(PyObject *unicode)
ikind = PyUnicode_KIND(unicode); ikind = PyUnicode_KIND(unicode);
for (i = 0; i < isize; i++) { for (i = 0; i < isize; i++) {
Py_UCS4 ch = PyUnicode_READ(ikind, idata, i); Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
Py_ssize_t incr = 1;
switch (ch) { switch (ch) {
case '\'': squote++; osize++; break; case '\'': squote++; break;
case '"': dquote++; osize++; break; case '"': dquote++; break;
case '\\': case '\t': case '\r': case '\n': case '\\': case '\t': case '\r': case '\n':
osize += 2; break; incr = 2;
break;
default: default:
/* Fast-path ASCII */ /* Fast-path ASCII */
if (ch < ' ' || ch == 0x7f) if (ch < ' ' || ch == 0x7f)
osize += 4; /* \xHH */ incr = 4; /* \xHH */
else if (ch < 0x7f) else if (ch < 0x7f)
osize++; ;
else if (Py_UNICODE_ISPRINTABLE(ch)) { else if (Py_UNICODE_ISPRINTABLE(ch))
osize++;
max = ch > max ? ch : max; max = ch > max ? ch : max;
}
else if (ch < 0x100) else if (ch < 0x100)
osize += 4; /* \xHH */ incr = 4; /* \xHH */
else if (ch < 0x10000) else if (ch < 0x10000)
osize += 6; /* \uHHHH */ incr = 6; /* \uHHHH */
else else
osize += 10; /* \uHHHHHHHH */ incr = 10; /* \uHHHHHHHH */
} }
if (osize > PY_SSIZE_T_MAX - incr) {
PyErr_SetString(PyExc_OverflowError,
"string is too long to generate repr");
return NULL;
}
osize += incr;
} }
quote = '\''; quote = '\'';