bakabtw/packages
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
packages/lang/python-cjson/patches/001-unicode-buffer-overflow.patch
hcg a5f89ff72c [packages] add package python-cjson 
git-svn-id: svn://svn.openwrt.org/openwrt/packages@22955 3c298f89-4303-0410-b956-a3cf2f4a3e73
2010-09-06 13:48:31 +00:00

80 lines
2.7 KiB
Diff
Raw Blame History

=== modified file 'cjson.c'
--- a/cjson.c 2007-08-24 16:12:17 +0000
+++ b/cjson.c 2010-05-26 05:05:55 +0000
@@ -613,6 +613,25 @@
char *p;
static const char *hexdigit = "0123456789abcdef";
+#ifdef Py_UNICODE_WIDE
+ const Py_ssize_t expandsize = 10;
+#else
+ const Py_ssize_t expandsize = 6;
+#endif
+
+ /* Initial allocation is based on the longest-possible unichr
+ escape.
+
+ In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
+ unichr, so in this case it's the longest unichr escape. In
+ narrow (UTF-16) builds this is five chars per source unichr
+ since there are two unichrs in the surrogate pair, so in narrow
+ (UTF-16) builds it's not the longest unichr escape.
+
+ In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
+ so in the narrow (UTF-16) build case it's the longest unichr
+ escape.
+ */
s = PyUnicode_AS_UNICODE(unicode);
size = PyUnicode_GET_SIZE(unicode);
@@ -623,7 +642,7 @@
return NULL;
}
- repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
+ repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1);
if (repr == NULL)
return NULL;
@@ -644,15 +663,6 @@
#ifdef Py_UNICODE_WIDE
/* Map 21-bit characters to '\U00xxxxxx' */
else if (ch >= 0x10000) {
- int offset = p - PyString_AS_STRING(repr);
-
- /* Resize the string if necessary */
- if (offset + 12 > PyString_GET_SIZE(repr)) {
- if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
- return NULL;
- p = PyString_AS_STRING(repr) + offset;
- }
-
*p++ = '\\';
*p++ = 'U';
*p++ = hexdigit[(ch >> 28) & 0x0000000F];
=== modified file 'jsontest.py'
--- a/jsontest.py 2007-08-24 16:12:17 +0000
+++ b/jsontest.py 2010-05-26 05:05:55 +0000
@@ -316,6 +316,18 @@
def testWriteLong(self):
self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890))
+
+ def testWriteLongUnicode(self):
+ # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds.
+ # The string length is only resized for wide unicode characters if
+ # there is less than 12 bytes of space left. Padding with
+ # narrow-but-escaped characters prevents string resizing.
+ # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes
+ # undetected.
+ s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E'
+ u'\u1234\u1234\u1234\u1234\u1234\u1234')
+ self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e'
+ r'\u1234\u1234\u1234\u1234\u1234\u1234"', s)
def main():
unittest.main()
Reference in New Issue View Git Blame Copy Permalink