[3.13] gh-127971: fix off-by-one read beyond the end of a string during search (#132574) (#136648)

duaneg · web-flow · commit 2383c6015c51 · 2025-07-14T11:50:22.000+02:00
(cherry picked from commit 85ec3b3)
diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
@@ -767,6 +767,15 @@ def test_replace(self):
         self.checkraises(TypeError, 'hello', 'replace', 42, 'h')
         self.checkraises(TypeError, 'hello', 'replace', 'h', 42)
 
+    def test_replacement_on_buffer_boundary(self):
+        # gh-127971: Check we don't read past the end of the buffer when a
+        # potential match misses on the last character.
+        any_3_nonblank_codepoints = '!!!'
+        seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints
+        a = (' ' * 243) + seven_codepoints + (' ' * 7)
+        b = ' ' * 6 + chr(256)
+        a.replace(seven_codepoints, b)
+
     def test_replace_uses_two_way_maxcount(self):
         # Test that maxcount works in _two_way_count in fastsearch.h
         A, B = "A"*1000, "B"*1000
diff --git a/Misc/NEWS.d/next/Core and Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst b/Misc/NEWS.d/next/Core and Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
@@ -0,0 +1 @@
+Fix off-by-one read beyond the end of a string in string search.
diff --git a/Objects/stringlib/fastsearch.h b/Objects/stringlib/fastsearch.h
@@ -588,7 +588,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                 continue;
             }
             /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
             else {
@@ -597,7 +597,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
         }
         else {
             /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
         }
@@ -661,7 +661,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                 }
             }
             /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
             else {
@@ -670,7 +670,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
         }
         else {
             /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix off-by-one read beyond the end of a string in string search.`
Original file line number	Diff line number	Diff line change
`@@ -588,7 +588,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`588`	`588`	`continue;`
`589`	`589`	`}`
`590`	`590`	`/* miss: check if next character is part of pattern */`
`591`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`591`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`592`	`592`	`i = i + m;`
`593`	`593`	`}`
`594`	`594`	`else {`
`@@ -597,7 +597,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`597`	`597`	`}`
`598`	`598`	`else {`
`599`	`599`	`/* skip: check if next character is part of pattern */`
`600`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`600`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`601`	`601`	`i = i + m;`
`602`	`602`	`}`
`603`	`603`	`}`
`@@ -661,7 +661,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`661`	`661`	`}`
`662`	`662`	`}`
`663`	`663`	`/* miss: check if next character is part of pattern */`
`664`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`664`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`665`	`665`	`i = i + m;`
`666`	`666`	`}`
`667`	`667`	`else {`
`@@ -670,7 +670,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`670`	`670`	`}`
`671`	`671`	`else {`
`672`	`672`	`/* skip: check if next character is part of pattern */`
`673`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`673`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`674`	`674`	`i = i + m;`
`675`	`675`	`}`
`676`	`676`	`}`