File python-3.2-CVE-2012-2135.patch of Package python3.openSUSE_12.1_Update

Index: Python-3.2.1/Objects/unicodeobject.c
===================================================================
--- Python-3.2.1.orig/Objects/unicodeobject.c
+++ Python-3.2.1/Objects/unicodeobject.c
@@ -3392,7 +3392,7 @@ PyUnicode_DecodeUTF16Stateful(const char
     Py_ssize_t outpos;
     PyUnicodeObject *unicode;
     Py_UNICODE *p;
-    const unsigned char *q, *e, *aligned_end;
+    const unsigned char *q, *e, *e2, *aligned_end;
     int bo = 0;       /* assume native ordering by default */
     int native_ordering = 0;
     const char *errmsg = "";
@@ -3416,7 +3416,7 @@ PyUnicode_DecodeUTF16Stateful(const char
     /* Unpack UTF-16 encoded data */
     p = unicode->str;
     q = (unsigned char *)s;
-    e = q + size - 1;
+    e = q + size;
 
     if (byteorder)
         bo = *byteorder;
@@ -3466,8 +3466,9 @@ PyUnicode_DecodeUTF16Stateful(const char
     native_ordering = ilo > ihi;
 #endif
 
+    e2 = e - 1;
     aligned_end = (const unsigned char *) ((size_t) e & ~LONG_PTR_MASK);
-    while (q < e) {
+    while (q < e2) {
         Py_UNICODE ch;
         /* First check for possible aligned read of a C 'long'. Unaligned
            reads are more expensive, better to defer to another iteration. */
@@ -3537,7 +3538,7 @@ PyUnicode_DecodeUTF16Stateful(const char
             }
             p = _p;
             q = _q;
-            if (q >= e)
+            if (q >= e2)
                 break;
         }
         ch = (q[ihi] << 8) | q[ilo];
@@ -3550,10 +3551,10 @@ PyUnicode_DecodeUTF16Stateful(const char
         }
 
         /* UTF-16 code pair: */
-        if (q > e) {
+        if (q >= e2) {
             errmsg = "unexpected end of data";
             startinpos = (((const char *)q) - 2) - starts;
-            endinpos = ((const char *)e) + 1 - starts;
+            endinpos = ((const char *)e) - starts;
             goto utf16Error;
         }
         if (0xD800 <= ch && ch <= 0xDBFF) {
@@ -3597,28 +3598,19 @@ PyUnicode_DecodeUTF16Stateful(const char
                 &outpos,
                 &p))
             goto onError;
+        /* Update data because unicode_decode_call_errorhandler might have
+           changed the input object. */
+        e2 = e - 1;
+        aligned_end = (const unsigned char *) ((size_t) e & ~LONG_PTR_MASK);
     }
     /* remaining byte at the end? (size should be even) */
-    if (e == q) {
+    if (q != e) {
         if (!consumed) {
             errmsg = "truncated data";
             startinpos = ((const char *)q) - starts;
-            endinpos = ((const char *)e) + 1 - starts;
+            endinpos = ((const char *)e) - starts;
             outpos = p - PyUnicode_AS_UNICODE(unicode);
-            if (unicode_decode_call_errorhandler(
-                    errors,
-                    &errorHandler,
-                    "utf16", errmsg,
-                    &starts,
-                    (const char **)&e,
-                    &startinpos,
-                    &endinpos,
-                    &exc,
-                    (const char **)&q,
-                    &unicode,
-                    &outpos,
-                    &p))
-                goto onError;
+            goto utf16Error;
             /* The remaining input chars are ignored if the callback
                chooses to skip the input */
         }