[3.12] gh-105235: Prevent reading outside buffer during mmap.find() (GH-105252) (#106708)

gh-105235: Prevent reading outside buffer during mmap.find() (GH-105252)

* Add a special case for s[-m:] == p in _PyBytes_Find

* Add tests for _PyBytes_Find

* Make sure that start <= end in mmap.find
(cherry picked from commit ab86426a3472ab68747815299d390b213793c3d1)

Co-authored-by: Dennis Sweeney <36520290+sweeneyde@users.noreply.github.com>

1 files changed, 19 insertions, 2 deletions

diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c
index abbf3ee..f3a978c 100644
--- a/Objects/bytesobject.c
+++ b/Objects/bytesobject.c
@@ -1274,8 +1274,25 @@ _PyBytes_Find(const char *haystack, Py_ssize_t len_haystack,
               const char *needle, Py_ssize_t len_needle,
               Py_ssize_t offset)
 {
-    return stringlib_find(haystack, len_haystack,
-                          needle, len_needle, offset);
+    assert(len_haystack >= 0);
+    assert(len_needle >= 0);
+    // Extra checks because stringlib_find accesses haystack[len_haystack].
+    if (len_needle == 0) {
+        return offset;
+    }
+    if (len_needle > len_haystack) {
+        return -1;
+    }
+    assert(len_haystack >= 1);
+    Py_ssize_t res = stringlib_find(haystack, len_haystack - 1,
+                                    needle, len_needle, offset);
+    if (res == -1) {
+        Py_ssize_t last_align = len_haystack - len_needle;
+        if (memcmp(haystack + last_align, needle, len_needle) == 0) {
+            return offset + last_align;
+        }
+    }
+    return res;
 }
 
 Py_ssize_t