head	1.2;
access;
symbols
	RELEASE_4_EOL:1.1
	RELEASE_6_2_0:1.1;
locks; strict;
comment	@# @;


1.2
date	2007.02.14.06.07.29;	author delphij;	state dead;
branches;
next	1.1;

1.1
date	2006.10.08.06.48.01;	author simon;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Update to Python 2.4.4.

Approved by:	maintainer timeout, alexbl (python@@)
Tested by:	pointyhat
PR:		ports/105901
@
text
@--- Objects/unicodeobject.c	2006/08/22 08:09:11	51465
+++ Objects/unicodeobject.c	2006/08/22 08:25:33	51466
@@@@ -1970,7 +1970,28 @@@@
 
     static const char *hexdigit = "0123456789abcdef";
 
-    repr = PyString_FromStringAndSize(NULL, 2 + 6*size + 1);
+    /* Initial allocation is based on the longest-possible unichr
+       escape.
+
+       In wide (UTF-32) builds '\U00xxxxxx' is 10 chars per source
+       unichr, so in this case it's the longest unichr escape. In
+       narrow (UTF-16) builds this is five chars per source unichr
+       since there are two unichrs in the surrogate pair, so in narrow
+       (UTF-16) builds it's not the longest unichr escape.
+
+       In wide or narrow builds '\uxxxx' is 6 chars per source unichr,
+       so in the narrow (UTF-16) build case it's the longest unichr
+       escape.
+    */
+
+    repr = PyString_FromStringAndSize(NULL,
+        2
+#ifdef Py_UNICODE_WIDE
+        + 10*size
+#else
+        + 6*size
+#endif
+        + 1);
     if (repr == NULL)
         return NULL;
 
@@@@ -1995,15 +2016,6 @@@@
 #ifdef Py_UNICODE_WIDE
         /* Map 21-bit characters to '\U00xxxxxx' */
         else if (ch >= 0x10000) {
-	    int offset = p - PyString_AS_STRING(repr);
-
-	    /* Resize the string if necessary */
-	    if (offset + 12 > PyString_GET_SIZE(repr)) {
-		if (_PyString_Resize(&repr, PyString_GET_SIZE(repr) + 100))
-		    return NULL;
-		p = PyString_AS_STRING(repr) + offset;
-	    }
-
             *p++ = '\\';
             *p++ = 'U';
             *p++ = hexdigit[(ch >> 28) & 0x0000000F];
@@@@ -2016,8 +2028,8 @@@@
             *p++ = hexdigit[ch & 0x0000000F];
 	    continue;
         }
-#endif
-	/* Map UTF-16 surrogate pairs to Unicode \UXXXXXXXX escapes */
+#else
+	/* Map UTF-16 surrogate pairs to '\U00xxxxxx' */
 	else if (ch >= 0xD800 && ch < 0xDC00) {
 	    Py_UNICODE ch2;
 	    Py_UCS4 ucs;
@@@@ -2042,6 +2054,7 @@@@
 	    s--;
 	    size++;
 	}
+#endif
 
         /* Map 16-bit characters to '\uxxxx' */
         if (ch >= 256) {
@


1.1
log
@Fix buffer overrun when performing repr() on a unicode string in a build
with wide unicode (UCS-4) support.

Obtained from:	Python SVN (#51466)
Security:	CVE-2006-4980
With hat:	secteam
@
text
@@

