fix possible overflow in encode_basestring_ascii (closes #23369)
diff --git a/Lib/test/test_json/test_encode_basestring_ascii.py b/Lib/test/test_json/test_encode_basestring_ascii.py
index 480afd6..3c014d3 100644
--- a/Lib/test/test_json/test_encode_basestring_ascii.py
+++ b/Lib/test/test_json/test_encode_basestring_ascii.py
@@ -1,5 +1,6 @@
from collections import OrderedDict
from test.test_json import PyTest, CTest
+from test.support import bigaddrspacetest
CASES = [
@@ -41,4 +42,10 @@
class TestPyEncodeBasestringAscii(TestEncodeBasestringAscii, PyTest): pass
-class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest): pass
+class TestCEncodeBasestringAscii(TestEncodeBasestringAscii, CTest):
+ @bigaddrspacetest
+ def test_overflow(self):
+ s = "\uffff"*((2**32)//6 + 1)
+ with self.assertRaises(OverflowError):
+ self.json.encoder.encode_basestring_ascii(s)
+
diff --git a/Misc/NEWS b/Misc/NEWS
index b203462..b69955a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,12 @@
- Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis
and fix by Guido Vranken.
+Library
+-------
+
+- Issue #23369: Fixed possible integer overflow in
+ _json.encode_basestring_ascii.
+
What's New in Python 3.3.6?
===========================
diff --git a/Modules/_json.c b/Modules/_json.c
index 4bc585d..397037e 100644
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -216,17 +216,24 @@
/* Compute the output size */
for (i = 0, output_size = 2; i < input_chars; i++) {
Py_UCS4 c = PyUnicode_READ(kind, input, i);
- if (S_CHAR(c))
- output_size++;
+ Py_ssize_t d;
+ if (S_CHAR(c)) {
+ d = 1;
+ }
else {
switch(c) {
case '\\': case '"': case '\b': case '\f':
case '\n': case '\r': case '\t':
- output_size += 2; break;
+ d = 2; break;
default:
- output_size += c >= 0x10000 ? 12 : 6;
+ d = c >= 0x10000 ? 12 : 6;
}
}
+ if (output_size > PY_SSIZE_T_MAX - d) {
+ PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+ return NULL;
+ }
+ output_size += d;
}
rval = PyUnicode_New(output_size, 127);