From b6f4472dc4190e2fd668490d86aeefd2ab0df935 Mon Sep 17 00:00:00 2001
From: "Gregory P. Smith" <greg@krypto.org>
Date: Wed, 14 Nov 2018 11:55:07 -0800
Subject: [2.7] bpo-35214: Fix OOB memory access in unicode escape parser
 (GH-10506) (GH-10538)

Discovered using clang's MemorySanitizer.

A msan build will fail by simply executing: ./python -c 'u"\N"'
(cherry picked from commit 746b2d3)

Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]
---
 .../next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst    | 3 +++
 Objects/unicodeobject.c                                                | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst

diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
new file mode 100644
index 0000000..91f6916
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst	
@@ -0,0 +1,3 @@
+Fixed an out of bounds memory access when parsing a truncated unicode escape
+sequence at the end of a string such as ``u'\N'``.  It would read one byte
+beyond the end of the memory allocation.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index b76db61..21d994c 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2950,7 +2950,7 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
                 if (ucnhash_CAPI == NULL)
                     goto ucnhashError;
             }
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                 const char *start = s+1;
                 /* look for the closing brace */
                 while (*s != '}' && s < end)
-- 
cgit v0.12