Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 86e4237

Browse files
serhiy-storchakaserhiy-storchaka
committed
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
the match object. Based on patch by WGH.
2 parents 75c0d4f + 7e10dbb commit 86e4237

3 files changed

Lines changed: 20 additions & 2 deletions

File tree

Lib/test/test_re.py

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1824,6 +1824,16 @@ def test_pattern_compare_bytes(self):
18241824
warnings.simplefilter('error', BytesWarning)
18251825
self.assertNotEqual(pattern3, pattern1)
18261826

1827+
def test_bug_29444(self):
1828+
s = bytearray(b'abcdefgh')
1829+
m = re.search(b'[a-h]+', s)
1830+
m2 = re.search(b'[e-h]+', s)
1831+
self.assertEqual(m.group(), b'abcdefgh')
1832+
self.assertEqual(m2.group(), b'efgh')
1833+
s[:] = b'xyz'
1834+
self.assertEqual(m.group(), b'xyz')
1835+
self.assertEqual(m2.group(), b'')
1836+
18271837

18281838
class PatternReprTests(unittest.TestCase):
18291839
def check(self, pattern, expected):

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,9 @@ Extension Modules
5555
Library
5656
-------
5757

58+
- Issue #29444: Fixed out-of-bounds buffer access in the group() method of
59+
the match object. Based on patch by WGH.
60+
5861
- Issue #29335: Fix subprocess.Popen.wait() when the child process has
5962
exited to a stopped instead of terminated state (ex: when under ptrace).
6063

Modules/_sre.c

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2003,6 +2003,7 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def)
20032003
Py_buffer view;
20042004
PyObject *result;
20052005
void* ptr;
2006+
Py_ssize_t i, j;
20062007

20072008
if (index < 0 || index >= self->groups) {
20082009
/* raise IndexError if we were given a bad group number */
@@ -2024,8 +2025,12 @@ match_getslice_by_index(MatchObject* self, Py_ssize_t index, PyObject* def)
20242025
ptr = getstring(self->string, &length, &isbytes, &charsize, &view);
20252026
if (ptr == NULL)
20262027
return NULL;
2027-
result = getslice(isbytes, ptr,
2028-
self->string, self->mark[index], self->mark[index+1]);
2028+
2029+
i = self->mark[index];
2030+
j = self->mark[index+1];
2031+
i = Py_MIN(i, length);
2032+
j = Py_MIN(j, length);
2033+
result = getslice(isbytes, ptr, self->string, i, j);
20292034
if (isbytes && view.buf != NULL)
20302035
PyBuffer_Release(&view);
20312036
return result;

0 commit comments

Comments
 (0)