diff options
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst | 3 | ||||
| -rw-r--r-- | Objects/unicodeobject.c | 2 |
2 files changed, 4 insertions, 1 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst new file mode 100644 index 0000000000..d462c97d80 --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst @@ -0,0 +1,3 @@ +Fixed an out of bounds memory access when parsing a truncated unicode +escape sequence at the end of a string such as ``'\N'``. It would read +one byte beyond the end of the memory allocation. diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index e5d026f9aa..04ca5f3344 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -6069,7 +6069,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s, } message = "malformed \\N character escape"; - if (*s == '{') { + if (s < end && *s == '{') { const char *start = ++s; size_t namelen; /* look for the closing brace */ |