diff options
author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2019-01-12 00:52:55 -0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-01-12 00:52:55 -0800 |
commit | cbc7c2c791185ad44b4b3ede72309df5f252f4cb (patch) | |
tree | 9b7e2027e156fc4d7d735180bbafd9a1d9115f89 /Objects | |
parent | d39c19255910b9dce08c595f511597e98b09e91f (diff) | |
download | cpython-git-cbc7c2c791185ad44b4b3ede72309df5f252f4cb.tar.gz |
bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
Format characters "%s" and "%V" in PyUnicode_FromFormat() and "%s" in PyBytes_FromFormat()
no longer read memory past the limit if precision is specified.
(cherry picked from commit d586ccb04f79863c819b212ec5b9d873964078e4)
Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
Diffstat (limited to 'Objects')
-rw-r--r-- | Objects/bytesobject.c | 12 | ||||
-rw-r--r-- | Objects/unicodeobject.c | 12 |
2 files changed, 18 insertions, 6 deletions
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 5f9e1eccf2..172c7f38b9 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -311,9 +311,15 @@ PyBytes_FromFormatV(const char *format, va_list vargs) Py_ssize_t i; p = va_arg(vargs, const char*); - i = strlen(p); - if (prec > 0 && i > prec) - i = prec; + if (prec <= 0) { + i = strlen(p); + } + else { + i = 0; + while (i < prec && p[i]) { + i++; + } + } s = _PyBytesWriter_WriteBytes(&writer, s, p, i); if (s == NULL) goto error; diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 35c8a24b7c..b67ffac4e9 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2579,9 +2579,15 @@ unicode_fromformat_write_cstr(_PyUnicodeWriter *writer, const char *str, PyObject *unicode; int res; - length = strlen(str); - if (precision != -1) - length = Py_MIN(length, precision); + if (precision == -1) { + length = strlen(str); + } + else { + length = 0; + while (length < precision && str[length]) { + length++; + } + } unicode = PyUnicode_DecodeUTF8Stateful(str, length, "replace", NULL); if (unicode == NULL) return -1; |