# Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: matt.giuca@gmail.com-20100526050617-23m5bam2hoqxo7oc # target_branch: bzr+ssh://bazaar.launchpad.net/~ubuntu-\ # branches/ubuntu/karmic/python-cjson/karmic/ # testament_sha1: 83735123862b3ca31583a6de7c9ca5874f1ed52a # timestamp: 2010-05-26 15:07:33 +1000 # base_revision_id: james.westby@ubuntu.com-20090727225553-\ # mmwv72szkns2wn76 # # Begin patch === modified file 'cjson.c' --- cjson.c 2007-08-24 16:12:17 +0000 +++ cjson.c 2010-05-26 05:06:17 +0000 @@ -613,6 +613,25 @@ char *p; static const char *hexdigit = "0123456789abcdef"; +#ifdef Py_UNICODE_WIDE + const Py_ssize_t expandsize = 10; +#else + const Py_ssize_t expandsize = 6; +#endif + + /* Initial allocation is based on the longest-possible unichr + escape. + + In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source + unichr, so in this case it's the longest unichr escape. In + narrow (UTF-16) builds this is five chars per source unichr + since there are two unichrs in the surrogate pair, so in narrow + (UTF-16) builds it's not the longest unichr escape. + + In wide or narrow builds '\uxxxx' is 6 chars per source unichr, + so in the narrow (UTF-16) build case it's the longest unichr + escape. + */ s = PyUnicode_AS_UNICODE(unicode); size = PyUnicode_GET_SIZE(unicode); @@ -623,7 +642,7 @@ return NULL; } - repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1); + repr = PyString_FromStringAndSize(NULL, 2 + expandsize*size + 1); if (repr == NULL) return NULL; @@ -644,15 +663,6 @@ #ifdef Py_UNICODE_WIDE /* Map 21-bit characters to '\U00xxxxxx' */ else if (ch >= 0x10000) { - int offset = p - PyString_AS_STRING(repr); - - /* Resize the string if necessary */ - if (offset + 12 > PyString_GET_SIZE(repr)) { - if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100)) - return NULL; - p = PyString_AS_STRING(repr) + offset; - } - *p++ = '\\'; *p++ = 'U'; *p++ = hexdigit[(ch >> 28) & 0x0000000F]; === modified file 'debian/changelog' --- debian/changelog 2009-07-27 22:55:53 +0000 +++ debian/changelog 2010-05-26 05:06:17 +0000 @@ -1,3 +1,10 @@ +python-cjson (1.0.5-2ubuntu0.1) karmic-security; urgency=low + + * SECURITY UPDATE: Fixed potential buffer overflow error when encoding wide + unicode characters on UCS4 builds (LP: #585274) + + -- Matt Giuca Wed, 26 May 2010 10:50:08 +1000 + python-cjson (1.0.5-2) unstable; urgency=low [ Bernd Zeimetz ] === modified file 'jsontest.py' --- jsontest.py 2007-08-24 16:12:17 +0000 +++ jsontest.py 2010-05-26 05:06:17 +0000 @@ -316,6 +316,18 @@ def testWriteLong(self): self.assertEqual("12345678901234567890", cjson.encode(12345678901234567890)) + + def testWriteLongUnicode(self): + # This test causes a buffer overrun in cjson 1.0.5, on UCS4 builds. + # The string length is only resized for wide unicode characters if + # there is less than 12 bytes of space left. Padding with + # narrow-but-escaped characters prevents string resizing. + # Note that u'\U0001D11E\u1234' also breaks, but sometimes goes + # undetected. + s = cjson.encode(u'\U0001D11E\U0001D11E\U0001D11E\U0001D11E' + u'\u1234\u1234\u1234\u1234\u1234\u1234') + self.assertEqual(r'"\U0001d11e\U0001d11e\U0001d11e\U0001d11e' + r'\u1234\u1234\u1234\u1234\u1234\u1234"', s) def main(): unittest.main() # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWVjyDjAABBH/gFwQAgBY//// f6fepL////BgCEcu+7mD0ADNg69z3B6AvYp0GSCZJqnmqfoZNNTymaKPNTao9NGkZB6jRoaP0jUB KJU/IE2qbaCRppoaAeo0ANAAAAAaE9RU/JMp6aQbUepoGmgaADIAAAAGJI1M0SZqZoaj1ANGQAAA AaAGg4yZNDEYmjAIwEwgDATTRpkaAYSRExAEaJowmglPyT00p+iaTzTU9T1JmoPUeoek5OJCIQBi 4TYxykyUYNJZlrX45ncIUUpcV5LfqvvgWPGNouC0rbCLPCXiyWsRCUbIwOjKjlQEChCYbCt75oNk 6onyufFoAEkOJJruUC+FgF7Mkai1DCaxcCASSKU2Qi79xz7T9y3HvJ8r02jVlc+JC3ge6CLYGaaS ETWmyCkakMoxDm29Me1zY9LxxhcMh/Ga8OOrXhZsbj/iWDVWoIM7dSQ4mTtboELGrN17UWCERfvu GDJl8veRM9cwOU5oJdbZhlr7IOFqk+G2pV6qXRnNDVqARa6+dQUWVa4WFbWPCFgFzJ6sl1lnRRBR MyQU624TTyhybENabDsYn5uOQ1sblvzVAtnUSd4Om0y7X9fWyZlPIQsUoT0lQcnYh6FiGiTHrsQT aE3xYYlGTv9d8Z8DQ7c+IfQodwPOKxPoGUNBEjrEYVwLvbXRmigmf0DvjffWtODZlsZ2nYF3LJcR c4J5pKwXv28iyUssFO/hjQTMGbCcwf8SUfqg4wQQEUSTxdIhBBzZjSEXEREBDoHO5C6j8thFCigz JyLGTB8OyvvJF45dbTPGERzszAlAd3lnHwQRQP82rbD8oCMY85xf4sXUjV+qHCovmBBJZoVU3q7x dKhg1DsCKT7hbdFDOJCce0cIXGreYlW3u1zyLlmh0c9ZiVFQVBzTeFB5vakmYRrseA2pBAkS0QB4 IWMhElQsCaDnPWgzukItlxGCF2vljggvMTVSgtxpIGi/uEWhn1BsCYSCw0mJPRXzRqjIx1YIWym/ RGZzGDQEP9UywqSiYDhe1z4Q0TZhDkQoI28hsHLZQalj6m3F0shGi0wLidQKXLeWhcwOG8UD5QQR ExtEbyhBB8y/SaLNciGa1QEOQMhDKTZHB3lUgqkNe5qpppgwWX23GCs1D0QQxonQo4mF9gsUF1QS +4TlSpA9Q3rDCuoyyRFaDaZdgi5UbE4u03vfXUgkacDYW1PebrK8bsrwixmR1q/EK0DIJEHQMoGL zes2SLSZgg8vr7fjMlm5lm76nMs2lcJ6czhJ0NRpBUKdGtvlX3/IOQVs9idtLM7O25IVO0+45xzg FgNsXU++URCiT/ncVdXpIpb+4mXQ2rAZK0C2PzQXeXkvgE4YvhGGXkYxVyQMUCiyqrmougAmgHmC KlEGTThv4RzrCzPTuK0xMtaqAxJaWxEi6jBgnOp+sBSILwLz2/hNH4jLwPgQiTBfxEt/Q813X9cs qhdIK6uunmejaSwRqX3FTOV1igtAq/dBPFB5liIqSt9MotPa8vuOCdP5vcco/ubUeQ55OYEDyDiT Jn58RGvoPsVenju0dNELik3c3ETUPJI4ODFbrYGbDHIeu0S9QrFNlsPPYFZ16epy63C23eaY0bu8 2kKAClnRJp4yyekiroIF7sFQsGNikO5Aiq/SBWJqDZWiaGgRSf42wNQMMDc5pyb5VezS9LKF4/rC qmUiFJzc3YaKsl5h2yRg6AhhQG8yFi8QYQrWShVDwcmaUIEO8pjK8c8WrbGqj0xo/QmpVGMII1Jx GkJCuqgnF3bi2Wiy35q2uk65Y6MTyzLW5KlplVYXVNXZ+WEBMfvk7NdjW35AJdACiMNYVUBSWUuw B8d9RYV436VjM3wcXpWza+/joWc6zWDCf+Qs3klYFSUKFmDWGRwIDGvs6bz8GObC55gVwD2h/1ep TDT1urWo/dEWlMhu5J1Ng6QX/gVcNmsZjgA7oGF4sXbXGZQY7BDVAZAOZMX99m8643gHH5pYIfr6 LeGfY4SQbAW4Dggeamk+XyFqyCw7XJ+XHdO2xmRbNa0kEMYLGAui9fdlGIA3PcTgZETUqAaxog8f MqXUjdqDOnQLaHLzjKQLpDAWLhBIxZMysUDpng3RSpSD7a4Sqr29qAiI8hDrmBblynKDLk6CisYU Ho0zhDkCUgiGn96TZpMD5VEIMyqGepgOIMGpHgxVVRUaAvGEIqdSBhnThCIFzH0TFtVdO0IFAYGC DCkk62bw6MXQeIifvQbm6kjk241KBEQNR2Ihc3aOQBkdX9igSmSCgfvWIqhlkJl1um6dR9IPYq6w usBm0nCVRqXO6ZDRBWCxgJhW6KqDpLXCdfzmBFBnQaUCZFhu5Y89Rl5eE2qUIUuuhkA5KknqpcBK S4ZBOsGdLQNdm9FKCEjZRDBkzpgsqTJ/etJ/z84kE0h6mjGMBgwfhUSlo7YTaIn3A04Jcb1wyfdj y0qHJMalH2aBW/bFSUiJgiOGitv2QN+whgmaOS0zIpBiKEk7eITvMAIC5MrylSEG0bIgIwGxHOcI JgCRJRHiT5hTIzOvTEuBgNVPZBLqYUiN1j0wuzJXd5ZkKi+A4fEgZztgisSudKt+d+3Ul/lC/j9B bqCXHuBb8E1qXQgoydriZqDU6ZkxggRlmLeBJOangIChPgQLB0g4AGnYG33B6issuN4hxEQ4/TXr 38vInL9lQvqFDrhCdeAltDD/4u5IpwoSCx5BxgA=