merge 3.2

156285c3 · Benjamin Peterson · f5c34054 · 99b5afab · 156285c3 · 156285c3
Commit 156285c3 authored Apr 13, 2014 by Benjamin Peterson
Show whitespace changes
Inline Side-by-side

Showing with 12 additions and 1 deletion

Lib/test/test_json/test_decode.py Lib/test/test_json/test_decode.py +4 -0

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +3 -0

Modules/_json.c Modules/_json.c +4 -1

No files found.
--- a/Lib/test/test_json/test_decode.py
+++ b/Lib/test/test_json/test_decode.py
@@ -70,5 +70,9 @@ class TestDecode:
        msg = 'escape'
        self.assertRaisesRegex(ValueError, msg, self.loads, s)
+    def test_negative_index(self):
+        d = self.json.JSONDecoder()
+        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
 class TestPyDecode(TestDecode, PyTest): pass
 class TestCDecode(TestDecode, CTest): pass
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1313,6 +1313,7 @@ Johannes Vogel
 Alex Volkov
 Martijn Vries
 Sjoerd de Vries
+Guido Vranken
 Niki W. Waibel
 Wojtek Walczak
 Charles Waldman

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -13,6 +13,9 @@ Core and Builtins
 Library
 -------
+- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
+  parameter. Bug reported by Guido Vranken.
 - Issue #20633: Replace relative import by absolute import.
 - Issue #21082: In os.makedirs, do not set the process-wide umask. Note this

--- a/Modules/_json.c
+++ b/Modules/_json.c
@@ -975,7 +975,10 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
    kind = PyUnicode_KIND(pystr);
    length = PyUnicode_GET_LENGTH(pystr);
-    if (idx >= length) {
+    if (idx < 0)
+        /* Compatibility with Python version. */
+        idx += length;
+    if (idx < 0 || idx >= length) {
        PyErr_SetNone(PyExc_StopIteration);
        return NULL;
    }