detect escapes > 255

diff --git a/dns/rdtypes/svcbbase.py b/dns/rdtypes/svcbbase.py
index 212b5cdd068a5c46a045e17199ae44385ed9d9cf..9bb835463a8db59b04ebc85266bd36f86776d90d 100644 (file)
--- a/dns/rdtypes/svcbbase.py
+++ b/dns/rdtypes/svcbbase.py
@@ -122,7 +122,10 @@ def _unescape(value, list_mode=False):
                 i += 1
                 if not (c2.isdigit() and c3.isdigit()):
                     raise dns.exception.SyntaxError
-                c = chr(int(c) * 100 + int(c2) * 10 + int(c3))
+                codepoint = int(c) * 100 + int(c2) * 10 + int(c3)
+                if codepoint > 255:
+                    raise dns.exception.SyntaxError
+                c = chr(codepoint)
         unescaped += c.encode()
     if len(unescaped) > 0:
         items.append(unescaped)

diff --git a/dns/tokenizer.py b/dns/tokenizer.py
index 7d698eae644bc7a9f965dc8deb3ce6de4dbf535c..131d428bbda647b59b592932c4cfbd1458375e45 100644 (file)
--- a/dns/tokenizer.py
+++ b/dns/tokenizer.py
@@ -120,7 +120,10 @@ class Token:
                     i += 1
                     if not (c2.isdigit() and c3.isdigit()):
                         raise dns.exception.SyntaxError
-                    c = chr(int(c) * 100 + int(c2) * 10 + int(c3))
+                    codepoint = int(c) * 100 + int(c2) * 10 + int(c3)
+                    if codepoint > 255:
+                        raise dns.exception.SyntaxError
+                    c = chr(codepoint)
             unescaped += c
         return Token(self.ttype, unescaped)
 
@@ -171,7 +174,10 @@ class Token:
                     i += 1
                     if not (c2.isdigit() and c3.isdigit()):
                         raise dns.exception.SyntaxError
-                    unescaped += b'%c' % (int(c) * 100 + int(c2) * 10 + int(c3))
+                    codepoint = int(c) * 100 + int(c2) * 10 + int(c3)
+                    if codepoint > 255:
+                        raise dns.exception.SyntaxError
+                    unescaped += b'%c' % (codepoint)
                 else:
                     # Note that as mentioned above, if c is a Unicode
                     # code point outside of the ASCII range, then this

diff --git a/tests/test_svcb.py b/tests/test_svcb.py
index 7a6620fc01ffb577c8b061e1b3522ee6cb20f307..ecfebf4158c9efe5b5e4a1a67842721761958fa2 100644 (file)
--- a/tests/test_svcb.py
+++ b/tests/test_svcb.py
@@ -275,6 +275,8 @@ class SVCBTestCase(unittest.TestCase):
             dns.rdata.from_text('in', 'svcb', '1 . alpn=\\00')
         with self.assertRaises(dns.exception.SyntaxError):
             dns.rdata.from_text('in', 'svcb', '1 . alpn=\\00q')
+        with self.assertRaises(dns.exception.SyntaxError):
+            dns.rdata.from_text('in', 'svcb', '1 . alpn=\\256')
         # This doesn't usually get exercised, so we do it directly.
         gp = dns.rdtypes.svcbbase.GenericParam.from_value('\\001\\002')
         expected = '"\\001\\002"'

diff --git a/tests/test_tokenizer.py b/tests/test_tokenizer.py
index e4797a5e196d0dea1a0a5562f11ed4fd65d9e24c..6134d4b2e2e73573459b4b109174393e1e8997f6 100644 (file)
--- a/tests/test_tokenizer.py
+++ b/tests/test_tokenizer.py
@@ -273,6 +273,14 @@ class TokenizerTestCase(unittest.TestCase):
             tok = dns.tokenizer.Tokenizer('\\')
             tok.get()
 
+    def testEscapeBounds(self):
+        with self.assertRaises(dns.exception.SyntaxError):
+            tok = dns.tokenizer.Tokenizer('\\256')
+            tok.get().unescape()
+        with self.assertRaises(dns.exception.SyntaxError):
+            tok = dns.tokenizer.Tokenizer('\\256')
+            tok.get().unescape_to_bytes()
+
     def testGetUngetRegetComment(self):
         tok = dns.tokenizer.Tokenizer(';comment')
         t1 = tok.get(want_comment=True)