[Python-checkins] cpython (3.3): fix possible overflow in encode_basestring_ascii (closes #23369)

Mon Feb 2 00:02:56 CET 2015

https://hg.python.org/cpython/rev/8699b3085db3
changeset: 94438:8699b3085db3
branch: 3.3
parent: 94340:6caed177a028
user: Benjamin Peterson <benjamin at python.org>
date: Sun Feb 01 17:53:53 2015 -0500
summary:
 fix possible overflow in encode_basestring_ascii (closes #23369)
files:
 Lib/test/test_json/test_encode_basestring_ascii.py | 9 +++++-
 Misc/NEWS | 6 ++++
 Modules/_json.c | 15 +++++++--
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/Lib/test/test_json/test_encode_basestring_ascii.py b/Lib/test/test_json/test_encode_basestring_ascii.py
--- a/Lib/test/test_json/test_encode_basestring_ascii.py
+++ b/Lib/test/test_json/test_encode_basestring_ascii.py
@@ -1,5 +1,6 @@
 from collections import OrderedDict
 from test.test_json import PyTest, CTest
+from test.support import bigaddrspacetest
 
 
 CASES = [
@@ -41,4 +42,10 @@
 
 
 class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass
-class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass
+class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):
+ @bigaddrspacetest
+ def test_overflow(self):
+ s = "\uffff"*((2**32)//6 + 1)
+ with self.assertRaises(OverflowError):
+ self.json.encoder.encode_basestring_ascii(s)
+
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,12 @@
 - Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis
 and fix by Guido Vranken.
 
+Library
+-------
+
+- Issue #23369: Fixed possible integer overflow in
+ _json.encode_basestring_ascii.
+
 
 What's New in Python 3.3.6?
 ===========================
diff --git a/Modules/_json.c b/Modules/_json.c
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -216,17 +216,24 @@
 /* Compute the output size */
 for (i = 0, output_size = 2; i < input_chars; i++) {
 Py_UCS4 c = PyUnicode_READ(kind, input, i);
- if (S_CHAR(c))
- output_size++;
+ Py_ssize_t d;
+ if (S_CHAR(c)) {
+ d = 1;
+ }
 else {
 switch(c) {
 case '\\': case '"': case '\b': case '\f':
 case '\n': case '\r': case '\t':
- output_size += 2; break;
+ d = 2; break;
 default:
- output_size += c >= 0x10000 ? 12 : 6;
+ d = c >= 0x10000 ? 12 : 6;
 }
 }
+ if (output_size > PY_SSIZE_T_MAX - d) {
+ PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+ return NULL;
+ }
+ output_size += d;
 }
 
 rval = PyUnicode_New(output_size, 127);
-- 
Repository URL: https://hg.python.org/cpython
