From: Benjamin Peterson <benjamin@python.org>
Date: Sat, 27 Jun 2015 20:01:51 +0000 (-0500)
Subject: prevent integer overflow in escape_unicode (closes #24522)
X-Git-Tag: v3.5.0b3~39
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7b78d4364da086baf77202e6e9f6839128a366ff;p=thirdparty%2FPython%2Fcpython.git

prevent integer overflow in escape_unicode (closes #24522)
---

diff --git a/Misc/NEWS b/Misc/NEWS
index 1f5241b8d0be..4b3e189fc7be 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -24,6 +24,8 @@ Core and Builtins
 Library
 -------
 
+- Issue #24522: Fix possible integer overflow in json accelerator module.
+
 - Issue #24489: ensure a previously set C errno doesn't disturb cmath.polar().
 
 - Issue #24408: Fixed AttributeError in measure() and metrics() methods of
diff --git a/Modules/_json.c b/Modules/_json.c
index e4478ef420c0..8000f915f348 100644
--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -249,17 +249,23 @@ escape_unicode(PyObject *pystr)
     /* Compute the output size */
     for (i = 0, output_size = 2; i < input_chars; i++) {
         Py_UCS4 c = PyUnicode_READ(kind, input, i);
+        Py_ssize_t d;
         switch (c) {
         case '\\': case '"': case '\b': case '\f':
         case '\n': case '\r': case '\t':
-            output_size += 2;
+            d = 2;
             break;
         default:
             if (c <= 0x1f)
-                output_size += 6;
+                d = 6;
             else
-                output_size++;
+                d = 1;
+        }
+        if (output_size > PY_SSIZE_T_MAX - d) {
+            PyErr_SetString(PyExc_OverflowError, "string is too long to escape");
+            return NULL;
         }
+        output_size += d;
     }
 
     rval = PyUnicode_New(output_size, maxchar);