]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4dbc305)
fix possible overflow in encode_basestring_ascii (closes #23369)
authorBenjamin Peterson <benjamin@python.org>
Sun, 1 Feb 2015 22:53:53 +0000 (17:53 -0500)
committerBenjamin Peterson <benjamin@python.org>
Sun, 1 Feb 2015 22:53:53 +0000 (17:53 -0500)
Lib/test/test_json/test_encode_basestring_ascii.py patch | blob | history
Misc/NEWS patch | blob | history
Modules/_json.c patch | blob | history

diff --git a/Lib/test/test_json/test_encode_basestring_ascii.py b/Lib/test/test_json/test_encode_basestring_ascii.py
index 480afd686e453d7178c6b82e264ec9760faca210..3c014d327c1430462933bb7bf1d0fd1a4336bd1c 100644 (file)
--- a/Lib/test/test_json/test_encode_basestring_ascii.py
+++ b/Lib/test/test_json/test_encode_basestring_ascii.py
@@ -1,5 +1,6 @@
 from collections import OrderedDict
 from test.test_json import PyTest, CTest
+from test.support import bigaddrspacetest
 
 
 CASES = [
@@ -41,4 +42,10 @@ class TestEncodeBasestringAscii:
 
 
 class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass
-class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass
+class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):
+    @bigaddrspacetest
+    def test_overflow(self):
+        s = "\uffff"*((2**32)//6 + 1)
+        with self.assertRaises(OverflowError):
+            self.json.encoder.encode_basestring_ascii(s)
+
diff --git a/Misc/NEWS b/Misc/NEWS
index b203462fea9768f1068090d7bbead8916a908da3..b69955aa61a0ee12f04711c4d60da3ee32580aa7 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,12 @@ Core and Builtins
 - Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV.  Analysis
   and fix by Guido Vranken.
 
+Library
+-------
+
+- Issue #23369: Fixed possible integer overflow in
+  _json.encode_basestring_ascii.
+
 
 What's New in Python 3.3.6?
 ===========================
diff --git a/Modules/_json.c b/Modules/_json.c
index 4bc585dc2ab0d610b8019126e7df388838f9ade2..397037e56b99ebd502c3c9bcf38c63fcd6b10771 100644 (file)
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -216,17 +216,24 @@ ascii_escape_unicode(PyObject *pystr)
     /* Compute the output size */
     for (i = 0, output_size = 2; i < input_chars; i++) {
         Py_UCS4 c = PyUnicode_READ(kind, input, i);
-        if (S_CHAR(c))
-            output_size++;
+        Py_ssize_t d;
+        if (S_CHAR(c)) {
+            d = 1;
+        }
         else {
             switch(c) {
             case '\\': case '"': case '\b': case '\f':
             case '\n': case '\r': case '\t':
-                output_size += 2; break;
+                = 2; break;
             default:
-                output_size += c >= 0x10000 ? 12 : 6;
+                = c >= 0x10000 ? 12 : 6;
             }
         }
+        if (output_size > PY_SSIZE_T_MAX - d) {
+            PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+            return NULL;
+        }
+        output_size += d;
     }
 
     rval = PyUnicode_New(output_size, 127);
Unnamed repository; edit this file 'description' to name the repository.