Message235177
# static PyObject *
# ascii_escape_unicode(PyObject *pystr)
# {
# ...
#
# input_chars = PyUnicode_GET_LENGTH(pystr);
# input = PyUnicode_DATA(pystr);
# kind = PyUnicode_KIND(pystr);
#
# /* Compute the output size */
# for (i = 0, output_size = 2; i < input_chars; i++) {
# Py_UCS4 c = PyUnicode_READ(kind, input, i);
# if (S_CHAR(c))
# output_size++;
# else {
# switch(c) {
# ...
# default:
# 1 output_size += c >= 0x10000 ? 12 : 6;
# ...
#
# 2 rval = PyUnicode_New(output_size, 127);
#
# 1. if c is \uFFFF then output_size += 6. There are no overflow checks on this
# variable, so we can overflow it with a sufficiently long (2**32/6+1 chars)
# string
# 2. rval buffer is too small to hold the result
#
# Crash:
# ------
#
# Breakpoint 3, ascii_escape_unicode (pystr='...') at /home/p/Python-3.4.1/Modules/_json.c:198
# 198 rval = PyUnicode_New(output_size, 127);
# (gdb) print output_size
# $9 = 4
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x4057888f in ascii_escape_unichar (c=65535,
# output=0x40572358 "...",
# chars=19624) at /home/p/Python-3.4.1/Modules/_json.c:155
# 155 output[chars++] = Py_hexdigits[(c >> 8) & 0xf];
#
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
from _json import encode_basestring_ascii as enc
s="\uffff"*int((2**32)/6+1)
enc(s) |
|
Date |
User |
Action |
Args |
2015-02-01 13:59:35 | pkt | set | recipients:
+ pkt |
2015-02-01 13:59:35 | pkt | set | messageid: <1422799175.9.0.580347379364.issue23369@psf.upfronthosting.co.za> |
2015-02-01 13:59:35 | pkt | link | issue23369 messages |
2015-02-01 13:59:35 | pkt | create | |
|