classification
Title: decode_unicode doesn't nul-terminate
Type: crash Stage:
Components: Versions:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: Rhamphoryncus, georg.brandl, gvanrossum, loewis
Priority: normal Keywords:

Created on 2007-09-04 05:38 by Rhamphoryncus, last changed 2007-11-02 22:46 by georg.brandl. This issue is now closed.

Messages (6)
msg55630 - (view) Author: Adam Olsen (Rhamphoryncus) Date: 2007-09-04 05:38
In the large else branch in decode_unicode (if encoding is not NULL or
"iso-8859-1"), the new string it produces is not nul-terminated.  This
then hits PyUnicode_DecodeUnicodeEscape's octal escape case, which reads
past the end of the string (but would stop if there was a nul there.)

I found this via valgrind.
msg55863 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2007-09-12 19:32
The function in question is in Python/ast.c. Martin, does the string
need to be null-terminated or does DecodeUnicodeEscape need to be fixed
(since it takes an explicit length argument)?
msg57069 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2007-11-02 22:23
Guido, didn't you fix something about 0-termination in a DecodeUnicode
function recently? I can't seem to find the commit now though...
msg57071 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-11-02 22:35
Yes I did, in r58709, in the trunk. 

Please backport to 2.5.2.
msg57072 - (view) Author: Guido van Rossum (gvanrossum) * (Python committer) Date: 2007-11-02 22:38
Also r58708 and r58707 in the py3k-pep3137 branch.

See also bug 1359.
msg57074 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2007-11-02 22:46
Committed r58814.
History
Date User Action Args
2007-11-02 22:46:47georg.brandlsetstatus: open -> closed
resolution: fixed
messages: + msg57074
2007-11-02 22:38:39gvanrossumsetmessages: + msg57072
2007-11-02 22:35:52gvanrossumsetassignee: gvanrossum ->
messages: + msg57071
2007-11-02 22:23:49georg.brandlsetassignee: loewis -> gvanrossum
messages: + msg57069
nosy: + gvanrossum
2007-09-12 19:32:54georg.brandlsetassignee: loewis
type: crash
messages: + msg55863
nosy: + loewis, georg.brandl
2007-09-04 05:38:55Rhamphoryncuscreate