From 7e10dbbd45503268f7bb3b241e30745df6c91b99 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 4 Feb 2017 22:53:57 +0200
Subject: Issue #29444: Fixed out-of-bounds buffer access in the group() method
 of the match object.  Based on patch by WGH.

---
 Modules/_sre.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'Modules/_sre.c')

diff --git a/Modules/_sre.c b/Modules/_sre.c
index 09b58352de..4b376ec078 100644
--- a/Modules/_sre.c
+++ b/Modules/_sre.c
@@ -2015,6 +2015,7 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def)
     Py_buffer view;
     PyObject *result;
     void* ptr;
+    Py_ssize_t i, j;
 
     if (index < 0 || index >= self->groups) {
         /* raise IndexError if we were given a bad group number */
@@ -2036,8 +2037,12 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def)
     ptr = getstring(self->string, &length, &isbytes, &charsize, &view);
     if (ptr == NULL)
         return NULL;
-    result = getslice(isbytes, ptr,
-                      self->string, self->mark[index], self->mark[index+1]);
+
+    i = self->mark[index];
+    j = self->mark[index+1];
+    i = Py_MIN(i, length);
+    j = Py_MIN(j, length);
+    result = getslice(isbytes, ptr, self->string, i, j);
     if (isbytes && view.buf != NULL)
         PyBuffer_Release(&view);
     return result;
-- 
cgit v1.2.1