From d102f29a4124c119ae0f07ce4dd967c2f7bf90fd Mon Sep 17 00:00:00 2001 From: William Meehan Date: Wed, 12 Aug 2020 11:57:13 -0400 Subject: [PATCH 1/3] bpo-41524: fix pointer bug in PyOS_mystr{n}icmp The existing implementations of PyOS_mystrnicmp and PyOS_mystricmp can increment pointers beyond the end of a string. This commit fixes those cases by moving the mutation out of the condition. --- Python/pystrcmp.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/Python/pystrcmp.c b/Python/pystrcmp.c index f9c2277cb56dc7..4cb870cfa2d8dc 100644 --- a/Python/pystrcmp.c +++ b/Python/pystrcmp.c @@ -6,21 +6,24 @@ int PyOS_mystrnicmp(const char *s1, const char *s2, Py_ssize_t size) { + const unsigned char *p1, *p2; if (size == 0) return 0; - while ((--size > 0) && - (tolower((unsigned)*s1) == tolower((unsigned)*s2))) { - if (!*s1++ || !*s2++) + p1 = (void *)s1; + p2 = (void *)s2; + for (; (--size > 0) && (tolower(*p1) == tolower(*p2)); p1++, p2++) { + if (!*p1 || !*p2) break; } - return tolower((unsigned)*s1) - tolower((unsigned)*s2); + return tolower(*p1) - tolower(*p2); } int PyOS_mystricmp(const char *s1, const char *s2) { - while (*s1 && (tolower((unsigned)*s1++) == tolower((unsigned)*s2++))) { + const unsigned char *p1 = (void *)s1, *p2 = (void *)s2; + for (; *p1 && (tolower(*p1) == tolower(*p2)); p1++, p2++) { ; } - return (tolower((unsigned)*s1) - tolower((unsigned)*s2)); + return (tolower(*p1) - tolower(*p2)); } From 367a8c6171aa924fea535212c3c947b625d89b4d Mon Sep 17 00:00:00 2001 From: "blurb-it[bot]" <43283697+blurb-it[bot]@users.noreply.github.com> Date: Wed, 12 Aug 2020 17:09:08 +0000 Subject: [PATCH 2/3] =?UTF-8?q?=F0=9F=93=9C=F0=9F=A4=96=20Added=20by=20blu?= =?UTF-8?q?rb=5Fit.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst diff --git a/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst b/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst new file mode 100644 index 00000000000000..4704e29be29bb0 --- /dev/null +++ b/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst @@ -0,0 +1,2 @@ +Fix bug in PyOS_mystrnicmp and PyOS_mystricmp that incremented +pointers beyond the end of a string. \ No newline at end of file From 597fe28c4190de5239fd281c948b29917a59a12f Mon Sep 17 00:00:00 2001 From: William Meehan Date: Wed, 12 Aug 2020 13:46:19 -0400 Subject: [PATCH 3/3] Address comments --- Python/pystrcmp.c | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/Python/pystrcmp.c b/Python/pystrcmp.c index 4cb870cfa2d8dc..9224ce4c706055 100644 --- a/Python/pystrcmp.c +++ b/Python/pystrcmp.c @@ -9,11 +9,11 @@ PyOS_mystrnicmp(const char *s1, const char *s2, Py_ssize_t size) const unsigned char *p1, *p2; if (size == 0) return 0; - p1 = (void *)s1; - p2 = (void *)s2; - for (; (--size > 0) && (tolower(*p1) == tolower(*p2)); p1++, p2++) { - if (!*p1 || !*p2) - break; + p1 = (const unsigned char *)s1; + p2 = (const unsigned char *)s2; + for (; (--size > 0) && *p1 && *p2 && (tolower(*p1) == tolower(*p2)); + p1++, p2++) { + ; } return tolower(*p1) - tolower(*p2); } @@ -21,8 +21,9 @@ PyOS_mystrnicmp(const char *s1, const char *s2, Py_ssize_t size) int PyOS_mystricmp(const char *s1, const char *s2) { - const unsigned char *p1 = (void *)s1, *p2 = (void *)s2; - for (; *p1 && (tolower(*p1) == tolower(*p2)); p1++, p2++) { + const unsigned char *p1 = (const unsigned char *)s1; + const unsigned char *p2 = (const unsigned char *)s2; + for (; *p1 && *p2 && (tolower(*p1) == tolower(*p2)); p1++, p2++) { ; } return (tolower(*p1) - tolower(*p2));