Message227839
# unicode_repr(PyObject *unicode)
# {
# ...
# 1 isize = PyUnicode_GET_LENGTH(unicode);
# idata = PyUnicode_DATA(unicode);
#
# /* Compute length of output, quote characters, and
# maximum character */
# osize = 0;
# ...
# for (i = 0; i < isize; i++) {
# Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
# switch (ch) {
# ...
# default:
# /* Fast-path ASCII */
# if (ch < ' ' || ch == 0x7f)
# 2 osize += 4; /* \xHH */
# ...
# }
# }
#
# ...
# 3 repr = PyUnicode_New(osize, max);
# ...
# for (i = 0, o = 1; i < isize; i++) {
# Py_UCS4 ch = PyUnicode_READ(ikind, idata, i);
# ...
# else {
# 4 PyUnicode_WRITE(okind, odata, o++, ch);
# }
# }
# }
# }
# /* Closing quote already added at the beginning */
# 5 assert(_PyUnicode_CheckConsistency(repr, 1));
# return repr;
# }
#
# 1. isize=2^30+1
# 2. osize=isize*4=4
# 3. allocated buffer is too small
# 4. heap overflow
# 5. this assert will likely fail, since there is a good chance the allocated
# buffer is just before the huge one, so the huge one will overwrite itself. |
|
Date |
User |
Action |
Args |
2014-09-29 21:04:19 | pkt | set | recipients:
+ pkt |
2014-09-29 21:04:19 | pkt | set | messageid: <1412024659.14.0.152968090659.issue22520@psf.upfronthosting.co.za> |
2014-09-29 21:04:19 | pkt | link | issue22520 messages |
2014-09-29 21:04:19 | pkt | create | |
|