This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author pkt
Recipients pkt
Date 2014-09-29.21:04:18
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1412024659.14.0.152968090659.issue22520@psf.upfronthosting.co.za>
In-reply-to
Content
# unicode_repr(PyObject *unicode)
# {
#     ...
# 1   isize = PyUnicode_GET_LENGTH(unicode);
#     idata = PyUnicode_DATA(unicode);
# 
#     /* Compute length of output, quote characters, and
#        maximum character */
#     osize = 0;
#     ...
#     for (i = 0; i < isize; i++) {
#         Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
#         switch (ch) {
#         ...
#         default:
#             /* Fast-path ASCII */
#             if (ch < ' ' || ch == 0x7f)
# 2               osize += 4; /* \xHH */ 
#             ...
#         }
#     }
# 
#     ...
# 3   repr = PyUnicode_New(osize, max);
#     ...
#         for (i = 0, o = 1; i < isize; i++) {
#             Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
#             ...
#                 else {
# 4                   PyUnicode_WRITE(okind, odata, o++, ch);
#                 }
#             }
#         }
#     }
#     /* Closing quote already added at the beginning */
# 5   assert(_PyUnicode_CheckConsistency(repr, 1));
#     return repr;
# }
# 
# 1. isize=2^30+1
# 2. osize=isize*4=4
# 3. allocated buffer is too small
# 4. heap overflow
# 5. this assert will likely fail, since there is a good chance the allocated
#    buffer is just before the huge one, so the huge one will overwrite itself.
History
Date User Action Args
2014-09-29 21:04:19pktsetrecipients: + pkt
2014-09-29 21:04:19pktsetmessageid: <1412024659.14.0.152968090659.issue22520@psf.upfronthosting.co.za>
2014-09-29 21:04:19pktlinkissue22520 messages
2014-09-29 21:04:19pktcreate