(original) (raw)

changeset: 102635:6fa0ebfdc136 branch: 2.7 parent: 102632:b1e4c8a3e786 user: Benjamin Peterson benjamin@python.org date: Sat Aug 13 16:47:25 2016 -0700 files: Misc/NEWS Modules/_json.c description: fix possible overflow in encode_basestring_ascii (#23369) diff -r b1e4c8a3e786 -r 6fa0ebfdc136 Misc/NEWS --- a/Misc/NEWS Sat Aug 13 14:46:23 2016 -0400 +++ b/Misc/NEWS Sat Aug 13 16:47:25 2016 -0700 @@ -29,6 +29,9 @@ Library ------- +- Issue #23369: Fixed possible integer overflow in + _json.encode_basestring_ascii. + - Issue #27568: Prevent HTTPoxy attack (CVE-2016-1000110). Ignore the HTTP_PROXY variable when REQUEST_METHOD environment is set, which indicates that the script is in CGI mode. diff -r b1e4c8a3e786 -r 6fa0ebfdc136 Modules/_json.c --- a/Modules/_json.c Sat Aug 13 14:46:23 2016 -0400 +++ b/Modules/_json.c Sat Aug 13 16:47:25 2016 -0700 @@ -211,6 +211,10 @@ input_unicode = PyUnicode_AS_UNICODE(pystr); /* One char input can be up to 6 chars output, estimate 4 of these */ + if (input_chars > (PY_SSIZE_T_MAX - 2)/ MAX_EXPANSION) { + PyErr_SetString(PyExc_OverflowError, "string is too long to escape"); + return NULL; + } output_size = 2 + (MIN_EXPANSION * 4) + input_chars; max_output_size = 2 + (input_chars * MAX_EXPANSION); rval = PyString_FromStringAndSize(NULL, output_size); /benjamin@python.org