New submission from paul: # static PyObject * # unicode_encode_ucs1(PyObject *unicode, # const char *errors, # unsigned int limit) # { # ... # while (pos < size) { # ... # case 4: /* xmlcharrefreplace */ # /* determine replacement size */ # for (i = collstart, repsize = 0; i < collend; ++i) { # Py_UCS4 ch = PyUnicode_READ(kind, data, i); # ... # else if (ch < 100000) # 1 repsize += 2+5+1; # ... # } # 2 requiredsize = respos+repsize+(size-collend); # if (requiredsize > ressize) { # ... # if (_PyBytes_Resize(&res, requiredsize)) # ... # } # /* generate replacement */ # for (i = collstart; i < collend; ++i) { # 3 str += sprintf(str, "&#%d;", PyUnicode_READ(kind, data, i)); # } # # 1. ch=0xffff<100000, so repsize = (number of unicode chars in string)*8 # =2^29*2^3=2^32 == 0 (mod 2^32) # 2. respos==0, collend==0, so requiredsize=repsize==0, so the destination buffer # isn't resized # 3. overwrite
---------- files: poc_encode_latin1.py messages: 227837 nosy: pkt priority: normal severity: normal status: open title: integer overflow in encoding unicode type: crash versions: Python 3.4 Added file: http://bugs.python.org/file36754/poc_encode_latin1.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22518> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com