diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2017-02-04 20:55:40 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2017-02-04 20:55:40 (GMT) |
| commit | 86e42376c2f41e6601b1844fb127f2f2e7b5349a (patch) | |
| tree | c0f806005f196f632922d5f2ea4d3d813c4e26a9 | |
| parent | 75c0d4f6bb97e723adc3a03c0ff6aaaee0c6981a (diff) | |
| parent | 7e10dbbd45503268f7bb3b241e30745df6c91b99 (diff) | |
| download | cpython-86e42376c2f41e6601b1844fb127f2f2e7b5349a.zip cpython-86e42376c2f41e6601b1844fb127f2f2e7b5349a.tar.gz cpython-86e42376c2f41e6601b1844fb127f2f2e7b5349a.tar.bz2 | |
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
the match object. Based on patch by WGH.
| -rw-r--r-- | Lib/test/test_re.py | 10 | ||||
| -rw-r--r-- | Misc/NEWS | 3 | ||||
| -rw-r--r-- | Modules/_sre.c | 9 |
3 files changed, 20 insertions, 2 deletions
diff --git a/Lib/test/test_re.py b/Lib/test/test_re.py index 4bdaa4b..b945cf0 100644 --- a/Lib/test/test_re.py +++ b/Lib/test/test_re.py @@ -1824,6 +1824,16 @@ SUBPATTERN None 0 0 warnings.simplefilter('error', BytesWarning) self.assertNotEqual(pattern3, pattern1) + def test_bug_29444(self): + s = bytearray(b'abcdefgh') + m = re.search(b'[a-h]+', s) + m2 = re.search(b'[e-h]+', s) + self.assertEqual(m.group(), b'abcdefgh') + self.assertEqual(m2.group(), b'efgh') + s[:] = b'xyz' + self.assertEqual(m.group(), b'xyz') + self.assertEqual(m2.group(), b'') + class PatternReprTests(unittest.TestCase): def check(self, pattern, expected): @@ -55,6 +55,9 @@ Extension Modules Library ------- +- Issue #29444: Fixed out-of-bounds buffer access in the group() method of + the match object. Based on patch by WGH. + - Issue #29335: Fix subprocess.Popen.wait() when the child process has exited to a stopped instead of terminated state (ex: when under ptrace). diff --git a/Modules/_sre.c b/Modules/_sre.c index 979e61f..d092496 100644 --- a/Modules/_sre.c +++ b/Modules/_sre.c @@ -2003,6 +2003,7 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def) Py_buffer view; PyObject *result; void* ptr; + Py_ssize_t i, j; if (index < 0 || index >= self->groups) { /* raise IndexError if we were given a bad group number */ @@ -2024,8 +2025,12 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def) ptr = getstring(self->string, &length, &isbytes, &charsize, &view); if (ptr == NULL) return NULL; - result = getslice(isbytes, ptr, - self->string, self->mark[index], self->mark[index+1]); + + i = self->mark[index]; + j = self->mark[index+1]; + i = Py_MIN(i, length); + j = Py_MIN(j, length); + result = getslice(isbytes, ptr, self->string, i, j); if (isbytes && view.buf != NULL) PyBuffer_Release(&view); return result; |