diff options
| -rw-r--r-- | Lib/test/test_re.py | 10 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_sre.c | 9 |
3 files changed, 20 insertions, 2 deletions
diff --git a/Lib/test/test_re.py b/Lib/test/test_re.py index 0834fe0f40..9acd5abbfd 100644 --- a/Lib/test/test_re.py +++ b/Lib/test/test_re.py @@ -1679,6 +1679,16 @@ SUBPATTERN None self.checkPatternError(r'(?<>)', 'unknown extension ?<>', 1) self.checkPatternError(r'(?', 'unexpected end of pattern', 2) + def test_bug_29444(self): + s = bytearray(b'abcdefgh') + m = re.search(b'[a-h]+', s) + m2 = re.search(b'[e-h]+', s) + self.assertEqual(m.group(), b'abcdefgh') + self.assertEqual(m2.group(), b'efgh') + s[:] = b'xyz' + self.assertEqual(m.group(), b'xyz') + self.assertEqual(m2.group(), b'') + class PatternReprTests(unittest.TestCase): def check(self, pattern, expected): @@ -21,6 +21,9 @@ Extension Modules Library ------- +- Issue #29444: Fixed out-of-bounds buffer access in the group() method of + the match object. Based on patch by WGH. + - Issue #29335: Fix subprocess.Popen.wait() when the child process has exited to a stopped instead of terminated state (ex: when under ptrace). diff --git a/Modules/_sre.c b/Modules/_sre.c index 09b58352de..4b376ec078 100644 --- a/Modules/_sre.c +++ b/Modules/_sre.c @@ -2015,6 +2015,7 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def) Py_buffer view; PyObject *result; void* ptr; + Py_ssize_t i, j; if (index < 0 || index >= self->groups) { /* raise IndexError if we were given a bad group number */ @@ -2036,8 +2037,12 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def) ptr = getstring(self->string, &length, &isbytes, &charsize, &view); if (ptr == NULL) return NULL; - result = getslice(isbytes, ptr, - self->string, self->mark[index], self->mark[index+1]); + + i = self->mark[index]; + j = self->mark[index+1]; + i = Py_MIN(i, length); + j = Py_MIN(j, length); + result = getslice(isbytes, ptr, self->string, i, j); if (isbytes && view.buf != NULL) PyBuffer_Release(&view); return result; |