homepage

scanstring_str() and scanstring_unicode() functions don't end value 
whereas it can be outside input string range. A check like this is 
needed:
 if (end < 0 || len <= end) {
 PyErr_SetString(PyExc_ValueError, "xxx");
 return NULL;
 }
next is set to begin but few lines later (before first use of next), 
it's set to end: for (next = end; ...). 
In error message, eg. "Invalid control character at (...)", begin is 
used as character position but I think that the right position is in 
the variable "end" (or maybe "next"?).
I'm unable to fix these functions because I don't understand the code.

To reproduce the crash, try very big negative integer as second 
argument. Example:
>>> _json.scanstring("test", -23492394)
Erreur de segmentation (core dumped)
>>> _json.scanstring(u"test", -1239239)
Erreur de segmentation (core dumped)

Bob, do you know how to fix this?

I wrote that I'm unable to fix the bug correctly, but I wrote a patch 
to avoid the crash:
- replace begin by end in error messages: is it correct?
- use "end < 0 || len <= end" test to check scanstring() second 
argument => raise a ValueError if end value is invalid

Am I to understand that the bug here is that the C extension doesn't
validate input properly if you call into it directly? Without a test I'm
not entirely sure exactly how you could possibly get negative values
into those functions using the json module as-is.

I've audited the patch, while it does fix the input range it looks like
it regresses other things (at least the error messages). "begin" was
intentionally used. The patch is not suitable for use, I'll create a
minimal patch that just fixes input validation.

I just committed a fix to trunk in r65147, needs port to py3k?

Was merged in r65148.