From 7af6eec6d05e336d4e64c37f458b4fa68752e9d3 Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Sat, 19 Jul 2008 22:26:35 +0000
Subject: [PATCH] Merged revisions 65147 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r65147 | bob.ippolito | 2008-07-19 16:59:50 -0500 (Sat, 19 Jul 2008) | 1 line
#3322: bounds checking for _json.scanstring
........
---
Modules/_json.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/Modules/_json.c b/Modules/_json.c
index a4308fdc7e..1cf1e63cd5 100644
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -236,6 +236,10 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
if (chunks == NULL) {
goto bail;
}
+ if (end < 0 || len <= end) {
+ PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+ goto bail;
+ }
while (1) {
/* Find the end of the string or the next escape */
Py_UNICODE c = 0;
@@ -246,7 +250,7 @@ scanstring_str(PyObject *pystr, Py_ssize_t end, char *encoding, int strict)
break;
}
else if (strict && c <= 0x1f) {
- raise_errmsg("Invalid control character at", pystr, begin);
+ raise_errmsg("Invalid control character at", pystr, next);
goto bail;
}
}
@@ -401,6 +405,10 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
if (chunks == NULL) {
goto bail;
}
+ if (end < 0 || len <= end) {
+ PyErr_SetString(PyExc_ValueError, "end is out of bounds");
+ goto bail;
+ }
while (1) {
/* Find the end of the string or the next escape */
Py_UNICODE c = 0;
@@ -411,7 +419,7 @@ scanstring_unicode(PyObject *pystr, Py_ssize_t end, int strict)
break;
}
else if (strict && c <= 0x1f) {
- raise_errmsg("Invalid control character at", pystr, begin);
+ raise_errmsg("Invalid control character at", pystr, next);
goto bail;
}
}
--
2.49.0