From: Gregory P. Smith <greg@krypto.org>
Date: Tue, 13 Nov 2018 21:16:54 +0000 (-0800)
Subject: bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)
X-Git-Tag: v3.8.0a1~501
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=746b2d35ea47005054ed774fecaed64fab803d7d;p=thirdparty%2FPython%2Fcpython.git

bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)

Discovered using clang's MemorySanitizer when it ran python3's
test_fstring test_misformed_unicode_character_name.

An msan build will fail by simply executing: ./python -c 'u"\N"'
---

diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
new file mode 100644
index 000000000000..d462c97d8040
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst	
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode
+escape sequence at the end of a string such as ``'\N'``.  It would read
+one byte beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index e5d026f9aa0e..04ca5f334447 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6069,7 +6069,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,
             }
 
             message = "malformed \\N character escape";
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                 const char *start = ++s;
                 size_t namelen;
                 /* look for the closing brace */