From 7e4b9057b3180ed1b7b26dc8f9a2d2162d4e83b0 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Mon, 26 Jan 2015 01:22:54 +0200 Subject: [PATCH] Issue #23321: Fixed a crash in str.decode() when error handler returned replacment string longer than mailformed input data. --- Misc/NEWS | 3 +++ Objects/unicodeobject.c | 8 ++++++-- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/Misc/NEWS b/Misc/NEWS index 9b68d3d55b..4c4db0f9b0 100644 --- a/Misc/NEWS +++ b/Misc/NEWS @@ -11,6 +11,9 @@ Release date: TBA Core and Builtins ----------------- +- Issue #23321: Fixed a crash in str.decode() when error handler returned + replacment string longer than mailformed input data. + - Issue #23048: Fix jumping out of an infinite while loop in the pdb. - Issue #20335: bytes constructor now raises TypeError when encoding or errors diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 216cd6a3e5..84ab6a114c 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -4190,9 +4190,13 @@ unicode_decode_call_errorhandler_writer( if (PyUnicode_READY(repunicode) < 0) goto onError; replen = PyUnicode_GET_LENGTH(repunicode); - writer->min_length += replen; - if (replen > 1) + if (replen > 1) { + writer->min_length += replen - 1; writer->overallocate = 1; + if (_PyUnicodeWriter_Prepare(writer, writer->min_length, + PyUnicode_MAX_CHAR_VALUE(repunicode)) == -1) + goto onError; + } if (_PyUnicodeWriter_WriteStr(writer, repunicode) == -1) goto onError; -- 2.40.0