Message 235177 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	pkt
Recipients	pkt
Date	2015-02-01.13:59:35
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1422799175.9.0.580347379364.issue23369@psf.upfronthosting.co.za>
In-reply-to

Content
# static PyObject * # ascii_escape_unicode(PyObject pystr) # { # ... # # input_chars = PyUnicode_GET_LENGTH(pystr); # input = PyUnicode_DATA(pystr); # kind = PyUnicode_KIND(pystr); # # / Compute the output size / # for (i = 0, output_size = 2; i < input_chars; i++) { # Py_UCS4 c = PyUnicode_READ(kind, input, i); # if (S_CHAR(c)) # output_size++; # else { # switch(c) { # ... # default: # 1 output_size += c >= 0x10000 ? 12 : 6; # ... # # 2 rval = PyUnicode_New(output_size, 127); # # 1. if c is \uFFFF then output_size += 6. There are no overflow checks on this # variable, so we can overflow it with a sufficiently long (232/6+1 chars) # string # 2. rval buffer is too small to hold the result # # Crash: # ------ # # Breakpoint 3, ascii_escape_unicode (pystr='...') at /home/p/Python-3.4.1/Modules/_json.c:198 # 198 rval = PyUnicode_New(output_size, 127); # (gdb) print output_size # $9 = 4 # (gdb) c # Continuing. # # Program received signal SIGSEGV, Segmentation fault. # 0x4057888f in ascii_escape_unichar (c=65535, # output=0x40572358 "...", # chars=19624) at /home/p/Python-3.4.1/Modules/_json.c:155 # 155 output[chars++] = Py_hexdigits[(c >> 8) & 0xf]; # # OS info # ------- # # % ./python -V # Python 3.4.1 # # % uname -a # Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux # from _json import encode_basestring_ascii as enc s="\uffff"int((2**32)/6+1) enc(s)

# static PyObject *
# ascii_escape_unicode(PyObject *pystr)
# {
#     ...
# 
#     input_chars = PyUnicode_GET_LENGTH(pystr);
#     input = PyUnicode_DATA(pystr);
#     kind = PyUnicode_KIND(pystr);
# 
#     /* Compute the output size */
#     for (i = 0, output_size = 2; i < input_chars; i++) {
#         Py_UCS4 c = PyUnicode_READ(kind, input, i);
#         if (S_CHAR(c))
#             output_size++;
#         else {
#             switch(c) {
#             ...
#             default:
# 1               output_size += c >= 0x10000 ? 12 : 6;
#     ...
# 
# 2   rval = PyUnicode_New(output_size, 127);
# 
# 1. if c is \uFFFF then output_size += 6. There are no overflow checks on this 
#    variable, so we can overflow it with a sufficiently long (2**32/6+1 chars) 
#    string
# 2. rval buffer is too small to hold the result
# 
# Crash:
# ------
#  
# Breakpoint 3, ascii_escape_unicode (pystr='...') at /home/p/Python-3.4.1/Modules/_json.c:198
# 198         rval = PyUnicode_New(output_size, 127);
# (gdb) print output_size
# $9 = 4
# (gdb) c
# Continuing.
#  
# Program received signal SIGSEGV, Segmentation fault.
# 0x4057888f in ascii_escape_unichar (c=65535,
#     output=0x40572358 "...",
#     chars=19624) at /home/p/Python-3.4.1/Modules/_json.c:155
# 155                 output[chars++] = Py_hexdigits[(c >>  8) & 0xf];
# 
# OS info
# -------
# 
# % ./python -V
# Python 3.4.1
#  
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#  
 
from _json import encode_basestring_ascii as enc
s="\uffff"*int((2**32)/6+1)
enc(s)

History
Date	User	Action	Args
2015-02-01 13:59:35	pkt	set	recipients: + pkt
2015-02-01 13:59:35	pkt	set	messageid: <1422799175.9.0.580347379364.issue23369@psf.upfronthosting.co.za>
2015-02-01 13:59:35	pkt	link	issue23369 messages
2015-02-01 13:59:35	pkt	create