From: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Date: Wed, 14 Nov 2018 00:39:36 +0000 (-0800) Subject: [3.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10522) X-Git-Tag: v3.7.2rc1~143 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9fbcb1402efab4e287f25145a69ba14c9c6dbce9;p=thirdparty%2FPython%2Fcpython.git [3.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10522) Discovered using clang's MemorySanitizer when it ran python3's test_fstring test_misformed_unicode_character_name. An msan build will fail by simply executing: ./python -c 'u"\N"' (cherry picked from commit 746b2d35ea47005054ed774fecaed64fab803d7d) Co-authored-by: Gregory P. Smith https://bugs.python.org/issue35214 --- diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst new file mode 100644 index 000000000000..d462c97d8040 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst @@ -0,0 +1,3 @@ +Fixed an out of bounds memory access when parsing a truncated unicode +escape sequence at the end of a string such as ``'\N'``. It would read +one byte beyond the end of the memory allocation. diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index fe833a76eadb..71eb654095a6 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -6042,7 +6042,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s, } message = "malformed \\N character escape"; - if (*s == '{') { + if (s < end && *s == '{') { const char *start = ++s; size_t namelen; /* look for the closing brace */