Fix SF bug 599128, submitted by Inyeol Lee: .replace() would do the

wrong thing for a unicode subclass when there were zero string
replacements.  The example given in the SF bug report was only one way
to trigger this; replacing a string of length >= 2 that's not found is
another.  The code would actually write outside allocated memory if
replacement string was longer than the search string.

(I wonder how many more of these are lurking?  The unicode code base
is full of wonders.)

Bugfix candidate; this same bug is present in 2.2.1.

1 files changed, 9 insertions, 3 deletions

diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 6dea94f..920f9ea 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -3534,10 +3534,16 @@ PyObject *replace(PyUnicodeObject *self,
         n = count(self, 0, self->length, str1);
         if (n > maxcount)
             n = maxcount;
-        if (n == 0 && PyUnicode_CheckExact(self)) {
+        if (n == 0) {
             /* nothing to replace, return original string */
-            Py_INCREF(self);
-            u = self;
+            if (PyUnicode_CheckExact(self)) {
+                Py_INCREF(self);
+                u = self;
+            }
+            else {
+                u = (PyUnicodeObject *)
+                    PyUnicode_FromUnicode(self->str, self->length);
+	    }
         } else {
             u = _PyUnicode_New(
                 self->length + n * (str2->length - str1->length));