diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2019-01-12 08:30:35 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-12 08:30:35 (GMT) |
| commit | d586ccb04f79863c819b212ec5b9d873964078e4 (patch) | |
| tree | 8b2d20f04b4b3867654a608a8ad8d54360acc367 /Objects/bytesobject.c | |
| parent | f1ec3cefad4639797c37eaa8c074830188fa0a44 (diff) | |
| download | cpython-d586ccb04f79863c819b212ec5b9d873964078e4.zip cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.gz cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.bz2 | |
bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
Format characters "%s" and "%V" in PyUnicode_FromFormat() and "%s" in PyBytes_FromFormat()
no longer read memory past the limit if precision is specified.
Diffstat (limited to 'Objects/bytesobject.c')
| -rw-r--r-- | Objects/bytesobject.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 40ef471..b299d48 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -312,9 +312,15 @@ PyBytes_FromFormatV(const char *format, va_list vargs) Py_ssize_t i; p = va_arg(vargs, const char*); - i = strlen(p); - if (prec > 0 && i > prec) - i = prec; + if (prec <= 0) { + i = strlen(p); + } + else { + i = 0; + while (i < prec && p[i]) { + i++; + } + } s = _PyBytesWriter_WriteBytes(&writer, s, p, i); if (s == NULL) goto error; |