bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)

Format characters "%s" and "%V" in PyUnicode_FromFormat() and "%s" in PyBytes_FromFormat() no longer read memory past the limit if precision is specified.
author: Serhiy Storchaka <storchaka@gmail.com> 2019-01-12 08:30:35 (GMT)
committer: GitHub <noreply@github.com> 2019-01-12 08:30:35 (GMT)
commit: d586ccb04f79863c819b212ec5b9d873964078e4 (patch)
tree: 8b2d20f04b4b3867654a608a8ad8d54360acc367 /Objects/unicodeobject.c
parent: f1ec3cefad4639797c37eaa8c074830188fa0a44 (diff)
download: cpython-d586ccb04f79863c819b212ec5b9d873964078e4.zip
cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.gz
cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.bz2
1 files changed, 9 insertions, 3 deletions
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index 304ea74..f1d23b6 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2578,9 +2578,15 @@ unicode_fromformat_write_cstr(_PyUnicodeWriter *writer, const char *str,
     PyObject *unicode;
     int res;
 
-    length = strlen(str);
-    if (precision != -1)
-        length = Py_MIN(length, precision);
+    if (precision == -1) {
+        length = strlen(str);
+    }
+    else {
+        length = 0;
+        while (length < precision && str[length]) {
+            length++;
+        }
+    }
     unicode = PyUnicode_DecodeUTF8Stateful(str, length, "replace", NULL);
     if (unicode == NULL)
         return -1;
author	Serhiy Storchaka <storchaka@gmail.com>	2019-01-12 08:30:35 (GMT)
committer	GitHub <noreply@github.com>	2019-01-12 08:30:35 (GMT)
commit	d586ccb04f79863c819b212ec5b9d873964078e4 (patch)
tree	8b2d20f04b4b3867654a608a8ad8d54360acc367 /Objects/unicodeobject.c
parent	f1ec3cefad4639797c37eaa8c074830188fa0a44 (diff)
download	cpython-d586ccb04f79863c819b212ec5b9d873964078e4.zip cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.gz cpython-d586ccb04f79863c819b212ec5b9d873964078e4.tar.bz2