[3.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10522)

miss-islington · web-flow · commit 9fbcb1402efa · 2018-11-13T16:39:36.000-08:00
Discovered using clang's MemorySanitizer when it ran python3's test_fstring test_misformed_unicode_character_name. An msan build will fail by simply executing: ./python -c 'u"\N"' (cherry picked from commit 746b2d3) Co-authored-by: Gregory P. Smith <greg@krypto.org> https://bugs.python.org/issue35214
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode
+escape sequence at the end of a string such as ``'\N'``.  It would read
+one byte beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
@@ -6042,7 +6042,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,
             }
 
             message = "malformed \\N character escape";
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                 const char *start = ++s;
                 size_t namelen;
                 /* look for the closing brace */

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Fixed an out of bounds memory access when parsing a truncated unicode`
	`2`	+escape sequence at the end of a string such as ``'\N'``. It would read
	`3`	`+one byte beyond the end of the memory allocation.`
Original file line number	Diff line number	Diff line change
`@@ -6042,7 +6042,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,`
`6042`	`6042`	`}`
`6043`	`6043`
`6044`	`6044`	`message = "malformed \\N character escape";`
`6045`		`- if (*s == '{') {`
	`6045`	`+ if (s < end && *s == '{') {`
`6046`	`6046`	`const char *start = ++s;`
`6047`	`6047`	`size_t namelen;`
`6048`	`6048`	`/* look for the closing brace */`