Issue #16335: Fix integer overflow in unicode-escape decoder.

diff --git a/Lib/test/test_ucn.py b/Lib/test/test_ucn.py
index fd620f01e4754eedb657c7cc6edf6dd72f81eb56..de36cc366f066ab86ea6d1e8d6b45f7efe15e65d 100644 (file)
--- a/Lib/test/test_ucn.py
+++ b/Lib/test/test_ucn.py
@@ -8,6 +8,7 @@ Modified for Python 2.0 by Fredrik Lundh (fredrik@pythonware.com)
 """#"
 
 import unittest
+import _testcapi
 
 from test import support
 
@@ -141,6 +142,21 @@ class UnicodeNamesTest(unittest.TestCase):
             str, b"\\NSPACE", 'unicode-escape', 'strict'
         )
 
+    @unittest.skipUnless(_testcapi.INT_MAX < _testcapi.PY_SSIZE_T_MAX,
+                         "needs UINT_MAX < SIZE_MAX")
+    def test_issue16335(self):
+        # very very long bogus character name
+        try:
+            x = b'\\N{SPACE' + b'x' * (_testcapi.UINT_MAX + 1) + b'}'
+        except MemoryError:
+            raise unittest.SkipTest("not enough memory")
+        self.assertEqual(len(x), len(b'\\N{SPACE}') + (_testcapi.UINT_MAX + 1))
+        self.assertRaisesRegex(UnicodeError,
+            'unknown Unicode character name',
+            x.decode, 'unicode-escape'
+        )
+
+
 def test_main():
     support.run_unittest(UnicodeNamesTest)
 

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 80a70b658526f731e38c2f3a2e91e0cff90ac124..ddd8d5307616a06fb41aacac43413a497d5aba4b 100644 (file)
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -3923,7 +3923,8 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
                     /* found a name.  look it up in the unicode database */
                     message = "unknown Unicode character name";
                     s++;
-                    if (ucnhash_CAPI->getcode(NULL, start, (int)(s-start-1), &chr))
+                    if (s - start - 1 <= INT_MAX &&
+                        ucnhash_CAPI->getcode(NULL, start, (int)(s-start-1), &chr))
                         goto store;
                 }
             }