You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
assignee=Noneclosed_at=<Date2019-01-12.09:21:30.979>created_at=<Date2018-12-21.11:15:59.323>labels= ['interpreter-core', '3.7', '3.8', 'type-crash']
title='Do not read memory past the specified limit in PyUnicode_FromFormat() and PyBytes_FromFormat()'updated_at=<Date2019-01-12.09:21:30.979>user='https://github.com/serhiy-storchaka'
Format characters %s and %V in PyUnicode_FromFormat() and %s PyBytes_FromFormat() allow to limit the number of bytes read from the argument. For example PyUnicode_FromFormat("must be string, not '%.50s'", obj->ob_type->tp_name) will use not more than 50 bytes from obj->ob_type->tp_name for creating a message.
But while the number of bytes used for creating the resulting Unicode or bytes object is limited, the current implementation can read past this limit. It uses strlen() for searching the first null byte, and bounds the result to the specified limit. If the input is not null terminated, this can cause a crash.
The proposed PR makes the code never reading past the specified limit.