From 16dfca4d829e45f36e71bf43f83226659ce49315 Mon Sep 17 00:00:00 2001
From: INADA Naoki <methane@users.noreply.github.com>
Date: Sat, 14 Jul 2018 12:06:43 +0900
Subject: bpo-34087: Fix buffer overflow in int(s) and similar functions
 (GH-8274)

`_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char.
It caused buffer overflow in `_Py_string_to_number_with_underscores()`.

This bug is introduced in 9b6c60cb.
---
 Objects/unicodeobject.c | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'Objects/unicodeobject.c')

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 80d1bba1e9..2b06f15f6c 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -9072,6 +9072,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)
             int decimal = Py_UNICODE_TODECIMAL(ch);
             if (decimal < 0) {
                 out[i] = '?';
+                out[i+1] = '\0';
                 _PyUnicode_LENGTH(result) = i + 1;
                 break;
             }
@@ -9079,6 +9080,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)
         }
     }
 
+    assert(_PyUnicode_CheckConsistency(result, 1));
     return result;
 }
 
-- 
cgit v1.2.1