[2.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10538)

Discovered using clang's MemorySanitizer. A msan build will fail by simply executing: ./python -c 'u"\N"' (cherry picked from commit 746b2d35) Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]

[2.7] bpo-35214: Fix OOB memory access in unicode escape parser (GH-10506) (GH-10538)
Discovered using clang's MemorySanitizer. A msan build will fail by simply executing: ./python -c 'u"\N"' (cherry picked from commit 746b2d35) Co-authored-by: Gregory P. Smith <greg@krypto.org> [Google LLC]
b6f4472d · Gregory P. Smith · GitHub · 815fa49d · b6f4472d · b6f4472d
Commit b6f4472d authored Nov 14, 2018 by Gregory P. Smith Committed by GitHub Nov 14, 2018
Showing with 4 additions and 1 deletion

Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst ...ore and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst +3 -0

Objects/unicodeobject.c Objects/unicodeobject.c +1 -1

No files found.
--- a/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
+++ b/Misc/NEWS.d/next/Core and Builtins/2018-11-13-17-20-18.bpo-35214.AH2F87.rst
+Fixed an out of bounds memory access when parsing a truncated unicode escape
+sequence at the end of a string such as ``u'\N'``.  It would read one byte
+beyond the end of the memory allocation.
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c
@@ -2950,7 +2950,7 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
                if (ucnhash_CAPI == NULL)
                    goto ucnhashError;
            }
-            if (*s == '{') {
+            if (s < end && *s == '{') {
                const char *start = s+1;
                /* look for the closing brace */
                while (*s != '}' && s < end)