[issue22518] integer overflow in encoding unicode
Changes by Benjamin Peterson benja...@python.org: -- resolution: - fixed status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: Integer overflow errors were fixed in 4 error handlers: surrogatepass, backslashreplace, namereplace, and xmlcharrefreplace. Is is hard to write general robust tests. In worst cases they requires more than sys.maxsize or even sys.maxsize*2 memory and for sure fail with MemoryError. It is possible to write a test for xmlcharrefreplace, but it will not robust, after changes of implementation details it could raise MemoryError instead of OverflowError after consuming all address space. So I suggest close this issue without tests. Such tests are useless. -- keywords: +patch Added file: http://bugs.python.org/file37285/codecs_error_handlers_overflow_tests.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: Do you want to add a bigmem test or close this issue Benjamin? -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Benjamin Peterson added the comment: I wouldn't object if you had a patch. -- nosy: +benjamin.peterson ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Roundup Robot added the comment: New changeset 3f7519f633ed by Serhiy Storchaka in branch '2.7': Issue #22518: Fixed integer overflow issues in backslashreplace and https://hg.python.org/cpython/rev/3f7519f633ed New changeset ec9b7fd246b6 by Serhiy Storchaka in branch '3.4': Issue #22518: Fixed integer overflow issues in backslashreplace, https://hg.python.org/cpython/rev/ec9b7fd246b6 New changeset 2df4cc31c36e by Serhiy Storchaka in branch 'default': Issue #22518: Fixed integer overflow issues in backslashreplace, https://hg.python.org/cpython/rev/2df4cc31c36e -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Roundup Robot added the comment: New changeset d1be1f355f59 by Serhiy Storchaka in branch '2.7': Fixed compilation error introduced in 3f7519f633ed (issue #22518). https://hg.python.org/cpython/rev/d1be1f355f59 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Roundup Robot added the comment: New changeset 51317c9786f5 by Serhiy Storchaka in branch '3.3': Issue #22518: Fixed integer overflow issues in backslashreplace, https://hg.python.org/cpython/rev/51317c9786f5 -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: Sorry for noise, these changes are related to issue22470. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
STINNER Victor added the comment: New changeset f86fde20e9ce by Benjamin Peterson in branch 'default': merge 3.4 (closes #22518) https://hg.python.org/cpython/rev/f86fde20e9ce This changeset added other. It looks like you commited a conflict. -if (requiredsize2*outsize) +if (outsize = PY_SSIZE_T_MAX/2 requiredsize 2*outsize) requiredsize = 2*outsize; I'm not sure that this change is correct. Why not raising an exception on overflow? -- nosy: +haypo ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
STINNER Victor added the comment: It would be nice to add a bigmem test to check that repr('\x00'*(2**30+1)) doesn't crash anymore. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
STINNER Victor added the comment: It would be nice to add a bigmem test to check that repr('\x00'*(2**30+1)) doesn't crash anymore. Ooops, wrong issue, the test is : (\u * (2**29)).encode(latin1, errors=xmlcharrefreplace). -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Changes by STINNER Victor victor.stin...@gmail.com: -- resolution: fixed - status: closed - open ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: I'm not sure that this change is correct. Why not raising an exception on overflow? This is correct. This check prevents overflow. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
STINNER Victor added the comment: This is correct. This check prevents overflow. Oh, I didn't understand that requiredsize = 2*outsize; is only used for performances, to overallocate the buffer. So I agree that it's fine to not overallocate if it would overflow. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Changes by STINNER Victor victor.stin...@gmail.com: -- type: crash - security ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Georg Brandl added the comment: Benjamin, could you make a patch for 3.2 as well? -- nosy: +georg.brandl ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: Ooops, wrong issue, the test is : (\u * (2**29)).encode(latin1, errors=xmlcharrefreplace). (\u * (sys.maxsize//8+1)).encode(latin1, errors=xmlcharrefreplace) or (\xff * (sys.maxsize//6+1)).encode(ascii, errors=xmlcharrefreplace) -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
New submission from paul: # static PyObject * # unicode_encode_ucs1(PyObject *unicode, # const char *errors, # unsigned int limit) # { # ... # while (pos size) { # ... # case 4: /* xmlcharrefreplace */ # /* determine replacement size */ # for (i = collstart, repsize = 0; i collend; ++i) { # Py_UCS4 ch = PyUnicode_READ(kind, data, i); # ... # else if (ch 10) # 1 repsize += 2+5+1; # ... # } # 2 requiredsize = respos+repsize+(size-collend); # if (requiredsize ressize) { # ... # if (_PyBytes_Resize(res, requiredsize)) # ... # } # /* generate replacement */ # for (i = collstart; i collend; ++i) { # 3 str += sprintf(str, #%d;, PyUnicode_READ(kind, data, i)); # } # # 1. ch=0x10, so repsize = (number of unicode chars in string)*8 #=2^29*2^3=2^32 == 0 (mod 2^32) # 2. respos==0, collend==0, so requiredsize=repsize==0, so the destination buffer #isn't resized # 3. overwrite -- files: poc_encode_latin1.py messages: 227837 nosy: pkt priority: normal severity: normal status: open title: integer overflow in encoding unicode type: crash versions: Python 3.4 Added file: http://bugs.python.org/file36754/poc_encode_latin1.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Serhiy Storchaka added the comment: Looks very similar to issue22470. -- nosy: +serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Changes by Benjamin Peterson benja...@python.org: -- versions: +Python 2.7, Python 3.5 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Changes by Benjamin Peterson benja...@python.org: -- versions: +Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Roundup Robot added the comment: New changeset b2e68274aa8e by Benjamin Peterson in branch '2.7': cleanup overflowing handling in unicode_decode_call_errorhandler and unicode_encode_ucs1 (closes #22518) https://hg.python.org/cpython/rev/b2e68274aa8e New changeset 3b7e93249700 by Benjamin Peterson in branch '2.7': add NEWS note for #22518 https://hg.python.org/cpython/rev/3b7e93249700 New changeset 3c67d19c624f by Benjamin Peterson in branch '3.3': cleanup overflowing handling in unicode_decode_call_errorhandler and unicode_encode_ucs1 (closes #22518) https://hg.python.org/cpython/rev/3c67d19c624f New changeset 88332ea4c140 by Benjamin Peterson in branch '3.3': NEWS issue for #22518 https://hg.python.org/cpython/rev/88332ea4c140 New changeset 7dab27f2 by Benjamin Peterson in branch '3.4': merge 3.3 (closes #22518) https://hg.python.org/cpython/rev/7dab27f2 New changeset f86fde20e9ce by Benjamin Peterson in branch 'default': merge 3.4 (closes #22518) https://hg.python.org/cpython/rev/f86fde20e9ce -- nosy: +python-dev resolution: - fixed stage: - resolved status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue22518] integer overflow in encoding unicode
Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com: -- nosy: +Arfrever ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue22518 ___ ___ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com