[Python-checkins] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)
Miss Islington (bot)
webhook-mailer at python.org
Tue Nov 13 16:50:09 EST 2018
https://github.com/python/cpython/commit/fdc485a5dff8508328b4f26265d0af1ba5004597
commit: fdc485a5dff8508328b4f26265d0af1ba5004597
branch: 3.6
author: Miss Islington (bot) <31488909+miss-islington at users.noreply.github.com>
committer: GitHub <noreply at github.com>
date: 2018-11-13T13:49:59-08:00
summary:
bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)
Discovered using clang's MemorySanitizer when it ran python3's
test_fstring test_misformed_unicode_character_name.
An msan build will fail by simply executing: ./python -c 'u"\N"'
(cherry picked from commit 746b2d35ea47005054ed774fecaed64fab803d7d)
Co-authored-by: Gregory P. Smith <greg at krypto.org>
files:
A Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
M Objects/unicodeobject.c
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
new file mode 100644
index 000000000000..d462c97d8040
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode
+escape sequence at the end of a string such as ``'\N'``. It would read
+one byte beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 972423e78da8..1f342bd199c7 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6133,7 +6133,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,
}
message = "malformed \\N character escape";
- if (*s == '{') {
+ if (s < end && *s == '{') {
const char *start = ++s;
size_t namelen;
/* look for the closing brace */
More information about the Python-checkins
mailing list