This is an archive of the discontinued Mercurial Phabricator instance.

Differential D634

encoding: check overflow while calculating size of JSON escape buffer
AbandonedPublic

Authored by singhsrb on Sep 5 2017, 8:38 PM.

Details

Reviewers
None
Group Reviewers
hg-reviewers
Summary

The minimum input size to exploit is ~682MB (= INT_MAX / len('\\u0000') * 2)
on 32bit system, which isn't easy to achieve using Python str in 2GB process
address space, but probably doable.

Diff Detail

Repository
rHG Mercurial
Lint
Lint Skipped
Unit
Unit Tests Skipped

Event Timeline

singhsrb created this revision.Sep 5 2017, 8:38 PM
singhsrb abandoned this revision.Sep 5 2017, 8:40 PM

Added for review by mistake.

Revision Contents
Changeset List

PathPackages
Mmercurial/cext/charencode.c (12 lines)

Diff 1623

mercurial/cext/charencode.c

for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
char c = buf[i]; char c = buf[i];
if (c & 0x80) { if (c & 0x80) {
PyErr_SetString(PyExc_ValueError, PyErr_SetString(PyExc_ValueError,
"cannot process non-ascii str"); "cannot process non-ascii str");
return -1; return -1;
} }
esclen += jsonparanoidlentable[(unsigned char)c]; esclen += jsonparanoidlentable[(unsigned char)c];
if (esclen < 0) {
PyErr_SetString(PyExc_MemoryError,
"overflow in jsonescapelen");
return -1;
}
} }
} else { } else {
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
char c = buf[i]; char c = buf[i];
esclen += jsonlentable[(unsigned char)c]; esclen += jsonlentable[(unsigned char)c];
if (esclen < 0) {
PyErr_SetString(PyExc_MemoryError,
"overflow in jsonescapelen");
return -1;
}
} }
} }
return esclen; return esclen;
} }
/* map '\<c>' escape character */ /* map '\<c>' escape character */
static char jsonescapechar2(char c) static char jsonescapechar2(char c)
if (!PyArg_ParseTuple(args, "O!i:jsonescapeu8fast", if (!PyArg_ParseTuple(args, "O!i:jsonescapeu8fast",
&PyBytes_Type, &origstr, &paranoid)) &PyBytes_Type, &origstr, &paranoid))
return NULL; return NULL;
origbuf = PyBytes_AS_STRING(origstr); origbuf = PyBytes_AS_STRING(origstr);
origlen = PyBytes_GET_SIZE(origstr); origlen = PyBytes_GET_SIZE(origstr);
esclen = jsonescapelen(origbuf, origlen, paranoid); esclen = jsonescapelen(origbuf, origlen, paranoid);
if (esclen < 0) if (esclen < 0)
return NULL; /* unsupported char found */ return NULL; /* unsupported char found or overflow */
if (origlen == esclen) { if (origlen == esclen) {
Py_INCREF(origstr); Py_INCREF(origstr);
return origstr; return origstr;
} }
escstr = PyBytes_FromStringAndSize(NULL, esclen); escstr = PyBytes_FromStringAndSize(NULL, esclen);
if (!escstr) if (!escstr)
return NULL; return NULL;
encodejsonescape(PyBytes_AS_STRING(escstr), esclen, origbuf, origlen, encodejsonescape(PyBytes_AS_STRING(escstr), esclen, origbuf, origlen,
paranoid); paranoid);
return escstr; return escstr;
} }