From: Benjamin Peterson <benjamin@python.org>
Date: Tue, 30 Sep 2014 03:02:15 +0000 (-0400)
Subject: prevent overflow in unicode_repr (closes #22520)
X-Git-Tag: v3.3.6rc1~2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=736b8012b42be24dd26b57bd443a576cc37c116c;p=thirdparty%2FPython%2Fcpython.git

prevent overflow in unicode_repr (closes #22520)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 890c25103e04..1c2393c97568 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.3.6 release candidate 1?
 Core and Builtins
 -----------------
 
+- Issue #22520: Fix overflow checking when generating the repr of a unicode
+  object.
+
 - Issue #22519: Fix overflow checking in PyBytes_Repr.
 
 - Issue #22518: Fix integer overflow issues in latin-1 encoding.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 07832bacfa01..1ce5caafdce1 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -12000,28 +12000,34 @@ unicode_repr(PyObject *unicode)
     ikind = PyUnicode_KIND(unicode);
     for (i = 0; i < isize; i++) {
         Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
+        Py_ssize_t incr = 1;
         switch (ch) {
-        case '\'': squote++; osize++; break;
-        case '"':  dquote++; osize++; break;
+        case '\'': squote++; break;
+        case '"':  dquote++; break;
         case '\\': case '\t': case '\r': case '\n':
-            osize += 2; break;
+            incr = 2;
+            break;
         default:
             /* Fast-path ASCII */
             if (ch < ' ' || ch == 0x7f)
-                osize += 4; /* \xHH */
+                incr = 4; /* \xHH */
             else if (ch < 0x7f)
-                osize++;
-            else if (Py_UNICODE_ISPRINTABLE(ch)) {
-                osize++;
+                ;
+            else if (Py_UNICODE_ISPRINTABLE(ch))
                 max = ch > max ? ch : max;
-            }
             else if (ch < 0x100)
-                osize += 4; /* \xHH */
+                incr = 4; /* \xHH */
             else if (ch < 0x10000)
-                osize += 6; /* \uHHHH */
+                incr = 6; /* \uHHHH */
             else
-                osize += 10; /* \uHHHHHHHH */
+                incr = 10; /* \uHHHHHHHH */
+        }
+        if (osize > PY_SSIZE_T_MAX - incr) {
+            PyErr_SetString(PyExc_OverflowError,
+                            "string is too long to generate repr");
+            return NULL;
         }
+        osize += incr;
     }
 
     quote = '\'';