commit e3bfe19358f9d6747676fcdb9af415972d276671
author Benjamin Peterson <benjamin@python.org> Sun Feb 01 17:53:53 2015 -0500
committer Benjamin Peterson <benjamin@python.org> Sun Feb 01 17:53:53 2015 -0500
tree 5af2f199c00afdfc3c1ebc3c9f4fb10dbc2f68c3
parent 4dbc30500218204eace01fa4d429f3087df5376f

fix possible overflow in encode_basestring_ascii (closes #23369)

Modules/_json.c

diff --git a/Modules/_json.c b/Modules/_json.c
index 4bc585d..397037e 100644
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -216,17 +216,24 @@
     /* Compute the output size */
     for (i = 0, output_size = 2; i < input_chars; i++) {
         Py_UCS4 c = PyUnicode_READ(kind, input, i);
-        if (S_CHAR(c))
-            output_size++;
+        Py_ssize_t d;
+        if (S_CHAR(c)) {
+            d = 1;
+        }
         else {
             switch(c) {
             case '\\': case '"': case '\b': case '\f':
             case '\n': case '\r': case '\t':
-                output_size += 2; break;
+                d = 2; break;
             default:
-                output_size += c >= 0x10000 ? 12 : 6;
+                d = c >= 0x10000 ? 12 : 6;
             }
         }
+        if (output_size > PY_SSIZE_T_MAX - d) {
+            PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+            return NULL;
+        }
+        output_size += d;
     }
 
     rval = PyUnicode_New(output_size, 127);