[Python-checkins] cpython (merge 3.6 -> default): Issue #29444: Fixed out-of-bounds buffer access in the group() method of

serhiy.storchaka python-checkins at python.org
Sat Feb 4 15:58:06 EST 2017

• Previous message (by thread): [Python-checkins] cpython (merge 3.5 -> 3.6): Issue #29444: Fixed out-of-bounds buffer access in the group() method of
• Next message (by thread): [Python-checkins] cpython (3.5): Issue #29416: Prevent infinite loop in pathlib.Path.mkdir
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

https://hg.python.org/cpython/rev/476b0fa34db4
changeset: 106420:476b0fa34db4
parent: 106417:038dd5e1f01b
parent: 106419:393969776989
user: Serhiy Storchaka <storchaka at gmail.com>
date: Sat Feb 04 22:57:44 2017 +0200
summary:
 Issue #29444: Fixed out-of-bounds buffer access in the group() method of
the match object. Based on patch by WGH.
files:
 Lib/test/test_re.py | 10 ++++++++++
 Misc/NEWS | 3 +++
 Modules/_sre.c | 9 +++++++--
 3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/Lib/test/test_re.py b/Lib/test/test_re.py
--- a/Lib/test/test_re.py
+++ b/Lib/test/test_re.py
@@ -1821,6 +1821,16 @@
 warnings.simplefilter('error', BytesWarning)
 self.assertNotEqual(pattern3, pattern1)
 
+ def test_bug_29444(self):
+ s = bytearray(b'abcdefgh')
+ m = re.search(b'[a-h]+', s)
+ m2 = re.search(b'[e-h]+', s)
+ self.assertEqual(m.group(), b'abcdefgh')
+ self.assertEqual(m2.group(), b'efgh')
+ s[:] = b'xyz'
+ self.assertEqual(m.group(), b'xyz')
+ self.assertEqual(m2.group(), b'')
+
 
 class PatternReprTests(unittest.TestCase):
 def check(self, pattern, expected):
diff --git a/Misc/NEWS b/Misc/NEWS
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -223,6 +223,9 @@
 Library
 -------
 
+- Issue #29444: Fixed out-of-bounds buffer access in the group() method of
+ the match object. Based on patch by WGH.
+
 - Issue #29377: Add SlotWrapperType, MethodWrapperType, and
 MethodDescriptorType built-in types to types module.
 Original patch by Manuel Krebber.
diff --git a/Modules/_sre.c b/Modules/_sre.c
--- a/Modules/_sre.c
+++ b/Modules/_sre.c
@@ -1945,6 +1945,7 @@
 Py_buffer view;
 PyObject *result;
 void* ptr;
+ Py_ssize_t i, j;
 
 if (index < 0 || index >= self->groups) {
 /* raise IndexError if we were given a bad group number */
@@ -1966,8 +1967,12 @@
 ptr = getstring(self->string, &length, &isbytes, &charsize, &view);
 if (ptr == NULL)
 return NULL;
- result = getslice(isbytes, ptr,
- self->string, self->mark[index], self->mark[index+1]);
+
+ i = self->mark[index];
+ j = self->mark[index+1];
+ i = Py_MIN(i, length);
+ j = Py_MIN(j, length);
+ result = getslice(isbytes, ptr, self->string, i, j);
 if (isbytes && view.buf != NULL)
 PyBuffer_Release(&view);
 return result;
-- 
Repository URL: https://hg.python.org/cpython

---

• Previous message (by thread): [Python-checkins] cpython (merge 3.5 -> 3.6): Issue #29444: Fixed out-of-bounds buffer access in the group() method of
• Next message (by thread): [Python-checkins] cpython (3.5): Issue #29416: Prevent infinite loop in pathlib.Path.mkdir
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---

More information about the Python-checkins mailing list