bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)

Discovered using clang's MemorySanitizer when it ran python3's test_fstring test_misformed_unicode_character_name. An msan build will fail by simply executing: ./python -c 'u"\N"'

bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506)
Discovered using clang's MemorySanitizer when it ran python3's test_fstring test_misformed_unicode_character_name. An msan build will fail by simply executing: ./python -c 'u"\N"'
746b2d35 · Gregory P. Smith · GitHub · 00b137c7 · 746b2d35 · 746b2d35
Commit 746b2d35 authored Nov 13, 2018 by Gregory P. Smith Committed by GitHub Nov 13, 2018
Showing with 4 additions and 1 deletion

Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst ...ore and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst +3 -0

Objects/unicodeobject.c Objects/unicodeobject.c +1 -1

No files found.
--- a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-00-40-35.bpo-35214.OQBjph.rst
+Fixed an out of bounds memory access when parsing a truncated unicode
+escape sequence at the end of a string such as ``'\N'``.  It would read
+one byte beyond the end of the memory allocation.
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -6069,7 +6069,7 @@ _PyUnicode_DecodeUnicodeEscape(const char *s,
            }

            message = "malformed \\N character escape";
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                const char *start = ++s;
                size_t namelen;
                /* look for the closing brace */