summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregory P. Smith <greg@krypto.org>2018-11-13 13:16:54 -0800
committerGitHub <noreply@github.com>2018-11-13 13:16:54 -0800
commit746b2d35ea47005054ed774fecaed64fab803d7d (patch)
tree95df1265514b578a9c2dcc2898bbce2f100dd064
parent00b137c72f90fbc39a6cd7e48b37c58d19977180 (diff)
downloadcpython-git-746b2d35ea47005054ed774fecaed64fab803d7d.tar.gz
bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)
Discovered using clang's MemorySanitizer when it ran python3's test_fstring test_misformed_unicode_character_name. An msan build will fail by simply executing: ./python -c 'u"\N"'
-rw-r--r--Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst3
-rw-r--r--Objects/unicodeobject.c2
2 files changed, 4 insertions, 1 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
new file mode 100644
index 0000000000..d462c97d80
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode
+escape sequence at the end of a string such as ``'\N'``. It would read
+one byte beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index e5d026f9aa..04ca5f3344 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6069,7 +6069,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,
}
message = "malformed \\N character escape";
- if (*s == '{') {
+ if (s < end && *s == '{') {
const char *start = ++s;
size_t namelen;
/* look for the closing brace */