(original) (raw)

changeset: 94438:8699b3085db3 branch: 3.3 parent: 94340:6caed177a028 user: Benjamin Peterson benjamin@python.org date: Sun Feb 01 17:53:53 2015 -0500 files: Lib/test/test_json/test_encode_basestring_ascii.py Misc/NEWS Modules/_json.c description: fix possible overflow in encode_basestring_ascii (closes #23369) diff -r 6caed177a028 -r 8699b3085db3 Lib/test/test_json/test_encode_basestring_ascii.py --- a/Lib/test/test_json/test_encode_basestring_ascii.py Tue Jan 27 22🔞46 2015 +0200 +++ b/Lib/test/test_json/test_encode_basestring_ascii.py Sun Feb 01 17:53:53 2015 -0500 @@ -1,5 +1,6 @@ from collections import OrderedDict from test.test_json import PyTest, CTest +from test.support import bigaddrspacetest CASES = [ @@ -41,4 +42,10 @@ class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass -class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass +class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): + @bigaddrspacetest + def test_overflow(self): + s = "\uffff"*((2**32)//6 + 1) + with self.assertRaises(OverflowError): + self.json.encoder.encode_basestring_ascii(s) + diff -r 6caed177a028 -r 8699b3085db3 Misc/NEWS --- a/Misc/NEWS Tue Jan 27 22🔞46 2015 +0200 +++ b/Misc/NEWS Sun Feb 01 17:53:53 2015 -0500 @@ -13,6 +13,12 @@ - Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis and fix by Guido Vranken. +Library +------- + +- Issue #23369: Fixed possible integer overflow in + _json.encode_basestring_ascii. + What's New in Python 3.3.6? =========================== diff -r 6caed177a028 -r 8699b3085db3 Modules/_json.c --- a/Modules/_json.c Tue Jan 27 22🔞46 2015 +0200 +++ b/Modules/_json.c Sun Feb 01 17:53:53 2015 -0500 @@ -216,17 +216,24 @@ /* Compute the output size */ for (i = 0, output_size = 2; i < input_chars; i++) { Py_UCS4 c = PyUnicode_READ(kind, input, i); - if (S_CHAR(c)) - output_size++; + Py_ssize_t d; + if (S_CHAR(c)) { + d = 1; + } else { switch(c) { case '\\': case '"': case '\b': case '\f': case '\n': case '\r': case '\t': - output_size += 2; break; + d = 2; break; default: - output_size += c >= 0x10000 ? 12 : 6; + d = c >= 0x10000 ? 12 : 6; } } + if (output_size > PY_SSIZE_T_MAX - d) { + PyErr_SetString(PyExc_OverflowError, "string is too long to escape"); + return NULL; + } + output_size += d; } rval = PyUnicode_New(output_size, 127); /benjamin@python.org