Browse Source
gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648)
gh-133767: Fix use-after-free in the unicode-escape decoder with an error handler (GH-129648)
If the error handler is used, a new bytes object is created to set as the object attribute of UnicodeDecodeError, and that bytes object then replaces the original data. A pointer to the decoded data will became invalid after destroying that temporary bytes object. So we need other way to return the first invalid escape from _PyUnicode_DecodeUnicodeEscapeInternal(). _PyBytes_DecodeEscape() does not have such issue, because it does not use the error handlers registry, but it should be changed for compatibility with _PyUnicode_DecodeUnicodeEscapeInternal().pull/133947/head
committed by
GitHub
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 160 additions and 63 deletions
-
5Include/internal/pycore_bytesobject.h
-
12Include/internal/pycore_unicodeobject.h
-
39Lib/test/test_codeccallbacks.py
-
52Lib/test/test_codecs.py
-
2Misc/NEWS.d/next/Security/2025-05-09-20-22-54.gh-issue-133767.kN2i3Q.rst
-
41Objects/bytesobject.c
-
46Objects/unicodeobject.c
-
26Parser/string_parser.c
@ -0,0 +1,2 @@ |
|||
Fix use-after-free in the "unicode-escape" decoder with a non-"strict" error |
|||
handler. |
Write
Preview
Loading…
Cancel
Save
Reference in new issue