Georg Brandl [EMAIL PROTECTED] added the comment:
Was merged in r65148.
--
resolution: - fixed
status: open - closed
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue3322
___
STINNER Victor [EMAIL PROTECTED] added the comment:
To reproduce the crash, try very big negative integer as second
argument. Example:
_json.scanstring(test, -23492394)
Erreur de segmentation (core dumped)
_json.scanstring(utest, -1239239)
Erreur de segmentation (core dumped)
Georg Brandl [EMAIL PROTECTED] added the comment:
Bob, do you know how to fix this?
--
assignee: - bob.ippolito
nosy: +bob.ippolito, georg.brandl
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue3322
STINNER Victor [EMAIL PROTECTED] added the comment:
I wrote that I'm unable to fix the bug correctly, but I wrote a patch
to avoid the crash:
- replace begin by end in error messages: is it correct?
- use end 0 || len = end test to check scanstring() second
argument = raise a ValueError if
Bob Ippolito [EMAIL PROTECTED] added the comment:
Am I to understand that the bug here is that the C extension doesn't
validate input properly if you call into it directly? Without a test I'm
not entirely sure exactly how you could possibly get negative values
into those functions using the json
Bob Ippolito [EMAIL PROTECTED] added the comment:
I've audited the patch, while it does fix the input range it looks like
it regresses other things (at least the error messages). begin was
intentionally used. The patch is not suitable for use, I'll create a
minimal patch that just fixes input
Bob Ippolito [EMAIL PROTECTED] added the comment:
I just committed a fix to trunk in r65147, needs port to py3k?
--
assignee: bob.ippolito - georg.brandl
___
Python tracker [EMAIL PROTECTED]
http://bugs.python.org/issue3322
New submission from STINNER Victor [EMAIL PROTECTED]:
scanstring_str() and scanstring_unicode() functions don't end value
whereas it can be outside input string range. A check like this is
needed:
if (end 0 || len = end) {
PyErr_SetString(PyExc_ValueError, xxx);
return