From d586ccb04f79863c819b212ec5b9d873964078e4 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 12 Jan 2019 10:30:35 +0200
Subject: bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and
 PyBytes_FromFormat(). (GH-11276)

Format characters "%s" and "%V" in PyUnicode_FromFormat() and "%s" in PyBytes_FromFormat()
no longer read memory past the limit if precision is specified.
---
 Objects/unicodeobject.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'Objects/unicodeobject.c')

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 304ea7471f..f1d23b66fa 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2578,9 +2578,15 @@ unicode_fromformat_write_cstr(_PyUnicodeWriter *writer, const char *str,
     PyObject *unicode;
     int res;
 
-    length = strlen(str);
-    if (precision != -1)
-        length = Py_MIN(length, precision);
+    if (precision == -1) {
+        length = strlen(str);
+    }
+    else {
+        length = 0;
+        while (length < precision && str[length]) {
+            length++;
+        }
+    }
     unicode = PyUnicode_DecodeUTF8Stateful(str, length, "replace", NULL);
     if (unicode == NULL)
         return -1;
-- 
cgit v1.2.1