diff options
| author | Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> | 2018-07-14 03:58:12 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-07-14 03:58:12 (GMT) |
| commit | c721472fb83d1f7c7606bcf33ba2d42d6127a764 (patch) | |
| tree | 5423358bf1045bb2902ddbf92a772c2689146b35 /Objects/unicodeobject.c | |
| parent | cf21d0031dd84544d4108765553c2b03dfe726c5 (diff) | |
| download | cpython-c721472fb83d1f7c7606bcf33ba2d42d6127a764.zip cpython-c721472fb83d1f7c7606bcf33ba2d42d6127a764.tar.gz cpython-c721472fb83d1f7c7606bcf33ba2d42d6127a764.tar.bz2 | |
bpo-34087: Fix buffer overflow in int(s) and similar functions (GH-8274)
`_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char.
It caused buffer overflow in `_Py_string_to_number_with_underscores()`.
This bug is introduced in 9b6c60cb.
(cherry picked from commit 16dfca4d829e45f36e71bf43f83226659ce49315)
Co-authored-by: INADA Naoki <methane@users.noreply.github.com>
Diffstat (limited to 'Objects/unicodeobject.c')
| -rw-r--r-- | Objects/unicodeobject.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index d5e7d10..5d605ab 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -9076,6 +9076,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode) int decimal = Py_UNICODE_TODECIMAL(ch); if (decimal < 0) { out[i] = '?'; + out[i+1] = '\0'; _PyUnicode_LENGTH(result) = i + 1; break; } @@ -9083,6 +9084,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode) } } + assert(_PyUnicode_CheckConsistency(result, 1)); return result; } |