Issue #19676: Fixed integer overflow issue in "namereplace" error handler.

diff --git a/Python/codecs.c b/Python/codecs.c
index b09ea3a28fe4dfd8cc8e05d0cee26b4b25a8d684..8ffa80b2139ee089fdf3652141c93f7f9cf3563f 100644 (file)
--- a/Python/codecs.c
+++ b/Python/codecs.c
@@ -947,7 +947,8 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc)
         Py_ssize_t end;
         PyObject *res;
         unsigned char *outp;
-        int ressize;
+        Py_ssize_t ressize;
+        int replsize;
         Py_UCS4 c;
         char buffer[256]; /* NAME_MAXLEN */
         if (PyUnicodeEncodeError_GetStart(exc, &start))
@@ -967,17 +968,21 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc)
             c = PyUnicode_READ_CHAR(object, i);
             if (ucnhash_CAPI &&
                 ucnhash_CAPI->getname(NULL, c, buffer, sizeof(buffer), 1)) {
-                ressize += 1+1+1+strlen(buffer)+1;
+                replsize = 1+1+1+strlen(buffer)+1;
             }
             else if (c >= 0x10000) {
-                ressize += 1+1+8;
+                replsize = 1+1+8;
             }
             else if (c >= 0x100) {
-                ressize += 1+1+4;
+                replsize = 1+1+4;
             }
             else
-                ressize += 1+1+2;
+                replsize = 1+1+2;
+            if (ressize > PY_SSIZE_T_MAX - replsize)
+                break;
+            ressize += replsize;
         }
+        end = i;
         res = PyUnicode_New(ressize, 127);
         if (res==NULL)
             return NULL;
@@ -1014,6 +1019,7 @@ PyObject *PyCodec_NameReplaceErrors(PyObject *exc)
             *outp++ = Py_hexdigits[c&0xf];
         }
 
+        assert(out == start + ressize);
         assert(_PyUnicode_CheckConsistency(res, 1));
         restuple = Py_BuildValue("(Nn)", res, end);
         Py_DECREF(object);