cpython: 8699b3085db3 (original) (raw)

Mercurial > cpython

changeset 94438:8699b3085db3 3.3

fix possible overflow in encode_basestring_ascii (closes #23369) [#23369]

Benjamin Peterson benjamin@python.org
date	Sun, 01 Feb 2015 17:53:53 -0500
parents	6caed177a028
children	4f47509d7417 1801b2571587
files	Lib/test/test_json/test_encode_basestring_ascii.py Misc/NEWS Modules/_json.c
diffstat	3 files changed, 25 insertions(+), 5 deletions(-)[+] [-] Lib/test/test_json/test_encode_basestring_ascii.py 9 Misc/NEWS 6 Modules/_json.c 15

line wrap: on

line diff

--- a/Lib/test/test_json/test_encode_basestring_ascii.py +++ b/Lib/test/test_json/test_encode_basestring_ascii.py @@ -1,5 +1,6 @@ from collections import OrderedDict from test.test_json import PyTest, CTest +from test.support import bigaddrspacetest CASES = [ @@ -41,4 +42,10 @@ class TestEncodeBasestringAscii: class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass -class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass +class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):

@bigaddrspacetest
def test_overflow(self):

   s = "\uffff"*((2**32)//6 + 1)[](#l1.18)

   with self.assertRaises(OverflowError):[](#l1.19)

       self.json.encoder.encode_basestring_ascii(s)[](#l1.20)

--- a/Misc/NEWS +++ b/Misc/NEWS @@ -13,6 +13,12 @@ Core and Builtins

Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis and fix by Guido Vranken. +Library +------- + +- Issue #23369: Fixed possible integer overflow in

_json.encode_basestring_ascii. + What's New in Python 3.3.6? ===========================

--- a/Modules/_json.c +++ b/Modules/_json.c @@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject pystr) / Compute the output size */ for (i = 0, output_size = 2; i < input_chars; i++) { Py_UCS4 c = PyUnicode_READ(kind, input, i);

```
   if (S_CHAR(c))[](#l3.7)
```
```
       output_size++;[](#l3.8)
```

```
   Py_ssize_t d;[](#l3.9)
```
```
   if (S_CHAR(c)) {[](#l3.10)
```
```
       d = 1;[](#l3.11)
```

   }[](#l3.12)
   else {[](#l3.13)
       switch(c) {[](#l3.14)
       case '\\': case '"': case '\b': case '\f':[](#l3.15)
       case '\n': case '\r': case '\t':[](#l3.16)

           output_size += 2; break;[](#l3.17)

           d = 2; break;[](#l3.18)
       default:[](#l3.19)

           output_size += c >= 0x10000 ? 12 : 6;[](#l3.20)

           d = c >= 0x10000 ? 12 : 6;[](#l3.21)
       }[](#l3.22)
   }[](#l3.23)

   if (output_size > PY_SSIZE_T_MAX - d) {[](#l3.24)

       PyErr_SetString(PyExc_OverflowError, "string is too long to escape");[](#l3.25)

```
       return NULL;[](#l3.26)
```
```
   }[](#l3.27)
```
```
   output_size += d;[](#l3.28)
```
} rval = PyUnicode_New(output_size, 127);