From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 4 Oct 2014 11:15:49 +0000 (+0300)
Subject: Issue #22518: Fixed integer overflow issues in "backslashreplace",
X-Git-Tag: v3.5.0a1~767^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2e374098ff791c81576ff2ba2961dc5011a693bf;p=python

Issue #22518: Fixed integer overflow issues in "backslashreplace",
"xmlcharrefreplace", and "surrogatepass" error handlers.
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 671cc50270..a33c4acd16 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -9,6 +9,9 @@ What's New in Python 3.4.3?
 Core and Builtins
 -----------------
 
+- Issue #22518: Fixed integer overflow issues in "backslashreplace",
+  "xmlcharrefreplace", and "surrogatepass" error handlers.
+
 - Issue #22520: Fix overflow checking when generating the repr of a unicode
   object.
 
diff --git a/Python/codecs.c b/Python/codecs.c
index e584accf72..6849c0f9a4 100644
--- a/Python/codecs.c
+++ b/Python/codecs.c
@@ -773,7 +773,7 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 ch;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -781,6 +781,8 @@ PyObject *PyCodec_XMLCharRefReplaceErrors(PyObject *exc)
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (2+7+1))
+            end = start + PY_SSIZE_T_MAX / (2+7+1);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             ch = PyUnicode_READ_CHAR(object, i);
@@ -869,7 +871,7 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
         Py_UCS4 c;
         if (PyUnicodeEncodeError_GetStart(exc, &start))
             return NULL;
@@ -877,6 +879,8 @@ PyObject *PyCodec_BackslashReplaceErrors(PyObject *exc)
             return NULL;
         if (!(object = PyUnicodeEncodeError_GetObject(exc)))
             return NULL;
+        if (end - start > PY_SSIZE_T_MAX / (1+1+8))
+            end = start + PY_SSIZE_T_MAX / (1+1+8);
         for (i = start, ressize = 0; i < end; ++i) {
             /* object is guaranteed to be "ready" */
             c = PyUnicode_READ_CHAR(object, i);
@@ -1023,6 +1027,8 @@ PyCodec_SurrogatePassErrors(PyObject *exc)
         code = get_standard_encoding(encoding, &bytelength);
         Py_DECREF(encode);
 
+        if (end - start > PY_SSIZE_T_MAX / bytelength)
+            end = start + PY_SSIZE_T_MAX / bytelength;
         res = PyBytes_FromStringAndSize(NULL, bytelength*(end-start));
         if (!res) {
             Py_DECREF(object);