bpo-34087: Fix buffer overflow in int(s) and similar functions (GH-8274)

methane · web-flow · commit 16dfca4d829e · 2018-07-14T12:06:43.000+09:00
`_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char. It caused buffer overflow in `_Py_string_to_number_with_underscores()`. This bug is introduced in 9b6c60c.
diff --git a/Lib/test/test_complex.py b/Lib/test/test_complex.py
@@ -345,6 +345,9 @@ def split_zeros(x):
         self.assertEqual(type(complex("1"*500)), complex)
         # check whitespace processing
         self.assertEqual(complex('\N{EM SPACE}(\N{EN SPACE}1+1j ) '), 1+1j)
+        # Invalid unicode string
+        # See bpo-34087
+        self.assertRaises(ValueError, complex, '\u3053\u3093\u306b\u3061\u306f')
 
         class EvilExc(Exception):
             pass
diff --git a/Lib/test/test_float.py b/Lib/test/test_float.py
@@ -60,6 +60,9 @@ def test_float(self):
         # extra long strings should not be a problem
         float(b'.' + b'1'*1000)
         float('.' + '1'*1000)
+        # Invalid unicode string
+        # See bpo-34087
+        self.assertRaises(ValueError, float, '\u3053\u3093\u306b\u3061\u306f')
 
     def test_underscores(self):
         for lit in VALID_UNDERSCORE_LITERALS:
diff --git a/Lib/test/test_long.py b/Lib/test/test_long.py
@@ -373,6 +373,10 @@ def test_long(self):
         for base in invalid_bases:
             self.assertRaises(ValueError, int, '42', base)
 
+        # Invalid unicode string
+        # See bpo-34087
+        self.assertRaises(ValueError, int, '\u3053\u3093\u306b\u3061\u306f')
+
 
     def test_conversion(self):
 
diff --git a/Misc/NEWS.d/next/Core and Builtins/2018-07-13-22-09-55.bpo-34087.I1Bxfc.rst b/Misc/NEWS.d/next/Core and Builtins/2018-07-13-22-09-55.bpo-34087.I1Bxfc.rst
@@ -0,0 +1 @@
+Fix buffer overflow while converting unicode to numeric values.
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
@@ -9072,13 +9072,15 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)
             int decimal = Py_UNICODE_TODECIMAL(ch);
             if (decimal < 0) {
                 out[i] = '?';
+                out[i+1] = '\0';
                 _PyUnicode_LENGTH(result) = i + 1;
                 break;
             }
             out[i] = '0' + decimal;
         }
     }
 
+    assert(_PyUnicode_CheckConsistency(result, 1));
     return result;
 }
 
diff --git a/Python/pystrtod.c b/Python/pystrtod.c
@@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores(
     char *dup, *end;
     PyObject *result;
 
+    assert(s[orig_len] == '\0');
+
     if (strchr(s, '_') == NULL) {
         return innerfunc(s, orig_len, arg);
     }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix buffer overflow while converting unicode to numeric values.`
Original file line number	Diff line number	Diff line change
`@@ -9072,13 +9072,15 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode)`
`9072`	`9072`	`int decimal = Py_UNICODE_TODECIMAL(ch);`
`9073`	`9073`	`if (decimal < 0) {`
`9074`	`9074`	`out[i] = '?';`
	`9075`	`+ out[i+1] = '\0';`
`9075`	`9076`	`_PyUnicode_LENGTH(result) = i + 1;`
`9076`	`9077`	`break;`
`9077`	`9078`	`}`
`9078`	`9079`	`out[i] = '0' + decimal;`
`9079`	`9080`	`}`
`9080`	`9081`	`}`
`9081`	`9082`
	`9083`	`+ assert(_PyUnicode_CheckConsistency(result, 1));`
`9082`	`9084`	`return result;`
`9083`	`9085`	`}`
`9084`	`9086`
Original file line number	Diff line number	Diff line change
`@@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores(`
`391`	`391`	`char dup, end;`
`392`	`392`	`PyObject *result;`
`393`	`393`
	`394`	`+ assert(s[orig_len] == '\0');`
	`395`	`+`
`394`	`396`	`if (strchr(s, '_') == NULL) {`
`395`	`397`	`return innerfunc(s, orig_len, arg);`
`396`	`398`	`}`