[3.14] gh-127971: fix off-by-one read beyond the end of a string during search (GH-132574) (#136628)

gh-127971: fix off-by-one read beyond the end of a string during search (GH-132574) (cherry picked from commit 85ec3b3b50) Co-authored-by: Duane Griffin <duaneg@dghda.com>
2025-11-03 15:11:34 +00:00 · 2025-07-13 15:58:03 +02:00 · 2025-07-13 15:58:03 +02:00 · 348e22cf06
commit 348e22cf06
parent ed1e0cdc58
3 changed files with 14 additions and 4 deletions
--- a/Lib/test/string_tests.py
+++ b/Lib/test/string_tests.py
@ -767,6 +767,15 @@ def test_replace(self):
        self.checkraises(TypeError, 'hello', 'replace', 42, 'h')
        self.checkraises(TypeError, 'hello', 'replace', 'h', 42)

+    def test_replacement_on_buffer_boundary(self):
+        # gh-127971: Check we don't read past the end of the buffer when a
+        # potential match misses on the last character.
+        any_3_nonblank_codepoints = '!!!'
+        seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints
+        a = (' ' * 243) + seven_codepoints + (' ' * 7)
+        b = ' ' * 6 + chr(256)
+        a.replace(seven_codepoints, b)
+
    def test_replace_uses_two_way_maxcount(self):
        # Test that maxcount works in _two_way_count in fastsearch.h
        A, B = "A"*1000, "B"*1000
--- a/Misc/NEWS.d/next/Core_and_Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
+++ b/Misc/NEWS.d/next/Core_and_Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
@ -0,0 +1 @@
+Fix off-by-one read beyond the end of a string in string search.
--- a/Objects/stringlib/fastsearch.h
+++ b/Objects/stringlib/fastsearch.h
@ -595,7 +595,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                continue;
            }
            /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                i = i + m;
            }
            else {
@ -604,7 +604,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
        }
        else {
            /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                i = i + m;
            }
        }
@ -668,7 +668,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                }
            }
            /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                i = i + m;
            }
            else {
@ -677,7 +677,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
        }
        else {
            /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                i = i + m;
            }
        }
				`@ -0,0 +1 @@`
				`Fix off-by-one read beyond the end of a string in string search.`