[2.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10538)

gpshead · web-flow · commit b6f4472dc419 · 2018-11-14T11:55:07.000-08:00
Discovered using clang's MemorySanitizer.

A msan build will fail by simply executing: ./python -c 'u"\N"'
(cherry picked from commit 746b2d3)

Co-authored-by: Gregory P. Smith &lt;greg@krypto.org&gt; [Google LLC]
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode escape
+sequence at the end of a string such as ``u'\N'``.  It would read one byte
+beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
@@ -2950,7 +2950,7 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
                 if (ucnhash_CAPI == NULL)
                     goto ucnhashError;
             }
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                 const char *start = s+1;
                 /* look for the closing brace */
                 while (*s != '}' && s < end)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+Fixed an out of bounds memory access when parsing a truncated unicode escape`
	`2`	+sequence at the end of a string such as ``u'\N'``. It would read one byte
	`3`	`+beyond the end of the memory allocation.`
Original file line number	Diff line number	Diff line change
`@@ -2950,7 +2950,7 @@ PyObject PyUnicode_DecodeUnicodeEscape(const char s,`
`2950`	`2950`	`if (ucnhash_CAPI == NULL)`
`2951`	`2951`	`goto ucnhashError;`
`2952`	`2952`	`}`
`2953`		`- if (*s == '{') {`
	`2953`	`+ if (s < end && *s == '{') {`
`2954`	`2954`	`const char *start = s+1;`
`2955`	`2955`	`/* look for the closing brace */`
`2956`	`2956`	`while (*s != '}' && s < end)`