diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2019-01-12 09:20:50 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-12 09:20:50 (GMT) |
| commit | 555755ecff2669f4e020147d7d3a0aec71abb679 (patch) | |
| tree | 1966454d8bded6084522b3f8d8d4b58329aa3b5b | |
| parent | 08a81df05004147ee174ece645679576ab867860 (diff) | |
| download | cpython-555755ecff2669f4e020147d7d3a0aec71abb679.zip cpython-555755ecff2669f4e020147d7d3a0aec71abb679.tar.gz cpython-555755ecff2669f4e020147d7d3a0aec71abb679.tar.bz2 | |
[2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) (GH-11534)
Format character "%s" in PyString_FromFormat() no longer read memory
past the limit if precision is specified.
(cherry picked from commit d586ccb04f79863c819b212ec5b9d873964078e4)
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst | 2 | ||||
| -rw-r--r-- | Objects/stringobject.c | 12 |
2 files changed, 11 insertions, 3 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst b/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst new file mode 100644 index 0000000..47ff76a --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst @@ -0,0 +1,2 @@ +Format character ``%s`` in :c:func:`PyString_FromFormat` no longer read +memory past the limit if *precision* is specified. diff --git a/Objects/stringobject.c b/Objects/stringobject.c index efb0d14..c47d32f 100644 --- a/Objects/stringobject.c +++ b/Objects/stringobject.c @@ -360,9 +360,15 @@ PyString_FromFormatV(const char *format, va_list vargs) break; case 's': p = va_arg(vargs, char*); - i = strlen(p); - if (n > 0 && i > n) - i = n; + if (n <= 0) { + i = strlen(p); + } + else { + i = 0; + while (i < n && p[i]) { + i++; + } + } Py_MEMCPY(s, p, i); s += i; break; |