https://github.com/python/cpython/commit/2383c6015c511e6af2ce032593dee10972b12373
commit: 2383c6015c511e6af2ce032593dee10972b12373
branch: 3.13
author: Duane Griffin <[email protected]>
committer: picnixz <[email protected]>
date: 2025-07-14T11:50:22+02:00
summary:
[3.13] gh-127971: fix off-by-one read beyond the end of a string during search
(#132574) (#136648)
(cherry picked from commit 85ec3b3b503ffd5b7e45f8b3fa2cec0c10e4bef0)
files:
A Misc/NEWS.d/next/Core and
Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
M Lib/test/string_tests.py
M Objects/stringlib/fastsearch.h
diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
index 9bb0ce7bb57f8b..8dcfa98f85b075 100644
--- a/Lib/test/string_tests.py
+++ b/Lib/test/string_tests.py
@@ -767,6 +767,15 @@ def test_replace(self):
self.checkraises(TypeError, 'hello', 'replace', 42, 'h')
self.checkraises(TypeError, 'hello', 'replace', 'h', 42)
+ def test_replacement_on_buffer_boundary(self):
+ # gh-127971: Check we don't read past the end of the buffer when a
+ # potential match misses on the last character.
+ any_3_nonblank_codepoints = '!!!'
+ seven_codepoints = any_3_nonblank_codepoints + ' ' +
any_3_nonblank_codepoints
+ a = (' ' * 243) + seven_codepoints + (' ' * 7)
+ b = ' ' * 6 + chr(256)
+ a.replace(seven_codepoints, b)
+
def test_replace_uses_two_way_maxcount(self):
# Test that maxcount works in _two_way_count in fastsearch.h
A, B = "A"*1000, "B"*1000
diff --git a/Misc/NEWS.d/next/Core and
Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst b/Misc/NEWS.d/next/Core
and Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
new file mode 100644
index 00000000000000..ced7a9c9fd3e63
--- /dev/null
+++ b/Misc/NEWS.d/next/Core and
Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
@@ -0,0 +1 @@
+Fix off-by-one read beyond the end of a string in string search.
diff --git a/Objects/stringlib/fastsearch.h b/Objects/stringlib/fastsearch.h
index 257b7bd6788ad2..513250c08be104 100644
--- a/Objects/stringlib/fastsearch.h
+++ b/Objects/stringlib/fastsearch.h
@@ -588,7 +588,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t
n,
continue;
}
/* miss: check if next character is part of pattern */
- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
i = i + m;
}
else {
@@ -597,7 +597,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t
n,
}
else {
/* skip: check if next character is part of pattern */
- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
i = i + m;
}
}
@@ -661,7 +661,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s,
Py_ssize_t n,
}
}
/* miss: check if next character is part of pattern */
- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
i = i + m;
}
else {
@@ -670,7 +670,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s,
Py_ssize_t n,
}
else {
/* skip: check if next character is part of pattern */
- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
i = i + m;
}
}
_______________________________________________
Python-checkins mailing list -- [email protected]
To unsubscribe send an email to [email protected]
https://mail.python.org/mailman3//lists/python-checkins.python.org
Member address: [email protected]
