Issue #16335: Fix integer overflow in unicode-escape decoder.

diff --git a/Lib/test/test_ucn.py b/Lib/test/test_ucn.py
index 775044b9915502c3ef02baf941d98551e4ac621d..1d303dc97d73156fc806db3e9f0aa3d5c3f0064b 100644 (file)
--- a/Lib/test/test_ucn.py
+++ b/Lib/test/test_ucn.py
@@ -8,6 +8,7 @@ Modified for Python 2.0 by Fredrik Lundh (fredrik@pythonware.com)
 """#"
 
 import unittest
+import _testcapi
 
 from test import test_support
 
@@ -137,6 +138,21 @@ class UnicodeNamesTest(unittest.TestCase):
             unicode, "\\NSPACE", 'unicode-escape', 'strict'
         )
 
+    @unittest.skipUnless(_testcapi.INT_MAX < _testcapi.PY_SSIZE_T_MAX,
+                         "needs UINT_MAX < SIZE_MAX")
+    def test_issue16335(self):
+        # very very long bogus character name
+        try:
+            x = b'\\N{SPACE' + b'x' * int(_testcapi.UINT_MAX + 1) + b'}'
+        except MemoryError:
+            raise unittest.SkipTest("not enough memory")
+        self.assertEqual(len(x), len(b'\\N{SPACE}') + (_testcapi.UINT_MAX + 1))
+        self.assertRaisesRegex(UnicodeError,
+            'unknown Unicode character name',
+            x.decode, 'unicode-escape'
+        )
+
+
 def test_main():
     test_support.run_unittest(UnicodeNamesTest)
 

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 46bfe2b54c39403ab9c4692ca9fe52e2cf2ccf63..c1b38cc4fe04da9eb5a2e2c4bcc312fec9b3927c 100644 (file)
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2899,7 +2899,8 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
                     /* found a name.  look it up in the unicode database */
                     message = "unknown Unicode character name";
                     s++;
-                    if (ucnhash_CAPI->getcode(NULL, start, (int)(s-start-1), &chr))
+                    if (s - start - 1 <= INT_MAX &&
+                        ucnhash_CAPI->getcode(NULL, start, (int)(s-start-1), &chr))
                         goto store;
                 }
             }