diff options
| -rw-r--r-- | Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst | 3 | ||||
| -rw-r--r-- | Objects/bytesobject.c | 12 | ||||
| -rw-r--r-- | Objects/unicodeobject.c | 12 |
3 files changed, 21 insertions, 6 deletions
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst b/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst new file mode 100644 index 0000000..dbc00bc --- /dev/null +++ b/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst @@ -0,0 +1,3 @@ +Format characters ``%s`` and ``%V`` in :c:func:`PyUnicode_FromFormat` and +``%s`` in :c:func:`PyBytes_FromFormat` no longer read memory past the +limit if *precision* is specified. diff --git a/Objects/bytesobject.c b/Objects/bytesobject.c index 40ef471..b299d48 100644 --- a/Objects/bytesobject.c +++ b/Objects/bytesobject.c @@ -312,9 +312,15 @@ PyBytes_FromFormatV(const char *format, va_list vargs) Py_ssize_t i; p = va_arg(vargs, const char*); - i = strlen(p); - if (prec > 0 && i > prec) - i = prec; + if (prec <= 0) { + i = strlen(p); + } + else { + i = 0; + while (i < prec && p[i]) { + i++; + } + } s = _PyBytesWriter_WriteBytes(&writer, s, p, i); if (s == NULL) goto error; diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c index 304ea74..f1d23b6 100644 --- a/Objects/unicodeobject.c +++ b/Objects/unicodeobject.c @@ -2578,9 +2578,15 @@ unicode_fromformat_write_cstr(_PyUnicodeWriter *writer, const char *str, PyObject *unicode; int res; - length = strlen(str); - if (precision != -1) - length = Py_MIN(length, precision); + if (precision == -1) { + length = strlen(str); + } + else { + length = 0; + while (length < precision && str[length]) { + length++; + } + } unicode = PyUnicode_DecodeUTF8Stateful(str, length, "replace", NULL); if (unicode == NULL) return -1; |