[Python-checkins] [2.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10538)
Gregory P. Smith
webhook-mailer at python.org
Wed Nov 14 14:55:12 EST 2018
https://github.com/python/cpython/commit/b6f4472dc4190e2fd668490d86aeefd2ab0df935
commit: b6f4472dc4190e2fd668490d86aeefd2ab0df935
branch: 2.7
author: Gregory P. Smith <greg at krypto.org>
committer: GitHub <noreply at github.com>
date: 2018-11-14T11:55:07-08:00
summary:
[2.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10538)
Discovered using clang's MemorySanitizer.
A msan build will fail by simply executing: ./python -c 'u"\N"'
(cherry picked from commit 746b2d3)
Co-authored-by: Gregory P. Smith <greg at krypto.org> [Google LLC]
files:
A Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
M Objects/unicodeobject.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
new file mode 100644
index 000000000000..91f6916ae191
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode escape
+sequence at the end of a string such as ``u'\N'``. It would read one byte
+beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index b76db619ad76..21d994cdd6b6 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2950,7 +2950,7 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
if (ucnhash_CAPI == NULL)
goto ucnhashError;
}
- if (*s == '{') {
+ if (s < end && *s == '{') {
const char *start = s+1;
/* look for the closing brace */
while (*s != '}' && s < end)
More information about the Python-checkins
mailing list