[2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) (GH-11534)

Format character "%s" in PyString_FromFormat() no longer read memory past the limit if precision is specified. (cherry picked from commit d586ccb0)

[2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) (GH-11534)
Format character "%s" in PyString_FromFormat() no longer read memory past the limit if precision is specified. (cherry picked from commit d586ccb0)
555755ec · Serhiy Storchaka · GitHub · 08a81df0 · 555755ec · 555755ec
Commit 555755ec authored Jan 12, 2019 by Serhiy Storchaka Committed by GitHub Jan 12, 2019
Showing with 11 additions and 3 deletions

Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst ...ore and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst +2 -0

Objects/stringobject.c Objects/stringobject.c +9 -3

No files found.
--- a/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-12-21-13-29-30.bpo-35552.1DzQQc.rst
+Format character ``%s`` in :c:func:`PyString_FromFormat` no longer read
+memory past the limit if *precision* is specified.
--- a/Objects/stringobject.c
+++ b/Objects/stringobject.c
@@ -360,9 +360,15 @@ PyString_FromFormatV(const char *format, va_list vargs)
                break;
            case 's':
                p = va_arg(vargs, char*);
-                i = strlen(p);
-                if (n > 0 && i > n)
-                    i = n;
+                if (n <= 0) {
+                    i = strlen(p);
+                }
+                else {
+                    i = 0;
+                    while (i < n && p[i]) {
+                        i++;
+                    }
+                }
                Py_MEMCPY(s, p, i);
                s += i;
                break;