[Found by a Googler who prefers to remain anonymous]

This might be easier to trigger on a 64-bit:

PyObject *PyUnicode_DecodeUTF7Stateful(...)
{
    ...
    Py_ssize_t startinpos;
    ...
    while (s < e) {
    ...
      utf7Error:
        outpos = p-PyUnicode_AS_UNICODE(unicode);
        endinpos = s-starts;
        if (unicode_decode_call_errorhandler(
                errors, &errorHandler,
                "utf7", errmsg,
                starts, size, &startinpos, &endinpos, &exc, &s,
                &unicode, &outpos, &p))
        ...
    }
    ...
}

The lack of initialization of startinpos will lead to the likelihood of
the value being >= INT_MAX with a 64-bit value, leading to the
subsequent assert [somewhere in unicode_decode_call_errorhandler()]. In
theory the assert could trigger in 32-bit if the uninitialized value
happened to get set to INT_MAX.

The other similar variable also probably need to be initialized.
Furthermore, the function PyUnicode_DecodeUTF8Stateful also has the same
uninitialized variables.

I can't see at the moment how the unicode_decode_call_errorhandler call
can be made without startinpos being previously set to some value.
Antoine, maybe you can verify?

Hmm, I know nothing about UTF7...

Anyway, looking at the code, the utf7Error code path can be called from
the following places (trunk line numbers):

• line 1595, and startinpos was set three lines before
• a bunch of places in the "if (inShift) { ... }" chunk between lines
  1537 and 1578; inShift would have had previously been set to 1 and
  that's at line 1587, a couple of lines after setting startinpos

So it seems things are fine, but perhaps I'm missing something.

The UTF-7 codec implementation has a few problems (one of them is that
it is hardly being used, so bugs only get detected very slowly).

bpo-4426 has a patch with cleaned up and more standards compliant
implementation. Perhaps that also fixes the problem with uninitialized
variables.

It looks like it was fixed in 2.6 by adding an assignment to startinpos
to this block:

       else if (SPECIAL(ch,0,0)) {
           startinpos = s-starts;     /* <---------- This was added */
           errmsg = "unexpected special character";
           s++;
           goto utf7Error;
       }

Are we going to release another 2.5, ever?

Only with security fixes IIRC. Letting Martin decide.

Well, this one is technically a security fix, though I have no idea how
it could be exploited unless you offer your users a facility to execute
arbitrary Python code.

I agree it is technically a security fix, so somebody please feel free
to commit it. I will make another 2.5 release when enough of these have
accumulated, or something urgent happens, or somebody wants to see a
release really badly :-)

OK, submitted.