(original) (raw)

changeset: 94440:02aeca4974ac parent: 94436:582aabcce2fd parent: 94439:4f47509d7417 user: Benjamin Peterson benjamin@python.org date: Sun Feb 01 18:00:19 2015 -0500 files: Lib/test/test_json/test_encode_basestring_ascii.py Lib/test/test_unicode.py Misc/NEWS Modules/_json.c Objects/unicodeobject.c description: merge 3.4 (#23369) diff -r 582aabcce2fd -r 02aeca4974ac Lib/test/test_json/test_encode_basestring_ascii.py --- a/Lib/test/test_json/test_encode_basestring_ascii.py Sun Feb 01 19:47:25 2015 +0100 +++ b/Lib/test/test_json/test_encode_basestring_ascii.py Sun Feb 01 18:00:19 2015 -0500 @@ -1,5 +1,6 @@ from collections import OrderedDict from test.test_json import PyTest, CTest +from test.support import bigaddrspacetest CASES = [ @@ -38,4 +39,10 @@ class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass -class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass +class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): + @bigaddrspacetest + def test_overflow(self): + s = "\uffff"*((2**32)//6 + 1) + with self.assertRaises(OverflowError): + self.json.encoder.encode_basestring_ascii(s) + diff -r 582aabcce2fd -r 02aeca4974ac Misc/NEWS --- a/Misc/NEWS Sun Feb 01 19:47:25 2015 +0100 +++ b/Misc/NEWS Sun Feb 01 18:00:19 2015 -0500 @@ -229,6 +229,9 @@ - Issue #23326: Removed __ne__ implementations. Since fixing default __ne__ implementation in issue #21408 they are redundant. +- Issue #23369: Fixed possible integer overflow in + _json.encode_basestring_ascii. + - Issue #23353: Fix the exception handling of generators in PyEval_EvalFrameEx(). At entry, save or swap the exception state even if PyEval_EvalFrameEx() is called with throwflag=0. At exit, the exception state diff -r 582aabcce2fd -r 02aeca4974ac Modules/_json.c --- a/Modules/_json.c Sun Feb 01 19:47:25 2015 +0100 +++ b/Modules/_json.c Sun Feb 01 18:00:19 2015 -0500 @@ -182,17 +182,24 @@ /* Compute the output size */ for (i = 0, output_size = 2; i < input_chars; i++) { Py_UCS4 c = PyUnicode_READ(kind, input, i); - if (S_CHAR(c)) - output_size++; + Py_ssize_t d; + if (S_CHAR(c)) { + d = 1; + } else { switch(c) { case '\\': case '"': case '\b': case '\f': case '\n': case '\r': case '\t': - output_size += 2; break; + d = 2; break; default: - output_size += c >= 0x10000 ? 12 : 6; + d = c >= 0x10000 ? 12 : 6; } } + if (output_size > PY_SSIZE_T_MAX - d) { + PyErr_SetString(PyExc_OverflowError, "string is too long to escape"); + return NULL; + } + output_size += d; } rval = PyUnicode_New(output_size, 127); /benjamin@python.org