[3.14] gh-127971: fix off-by-one read beyond the end of a string during search (GH-132574) (#136628)

miss-islington · duaneg · web-flow · commit 348e22cf0606 · 2025-07-13T13:58:03.000Z
gh-127971: fix off-by-one read beyond the end of a string during search (GH-132574) (cherry picked from commit 85ec3b3) Co-authored-by: Duane Griffin <duaneg@dghda.com>
diff --git a/Lib/test/string_tests.py b/Lib/test/string_tests.py
@@ -767,6 +767,15 @@ def test_replace(self):
         self.checkraises(TypeError, 'hello', 'replace', 42, 'h')
         self.checkraises(TypeError, 'hello', 'replace', 'h', 42)
 
+    def test_replacement_on_buffer_boundary(self):
+        # gh-127971: Check we don't read past the end of the buffer when a
+        # potential match misses on the last character.
+        any_3_nonblank_codepoints = '!!!'
+        seven_codepoints = any_3_nonblank_codepoints + ' ' + any_3_nonblank_codepoints
+        a = (' ' * 243) + seven_codepoints + (' ' * 7)
+        b = ' ' * 6 + chr(256)
+        a.replace(seven_codepoints, b)
+
     def test_replace_uses_two_way_maxcount(self):
         # Test that maxcount works in _two_way_count in fastsearch.h
         A, B = "A"*1000, "B"*1000
diff --git a/Misc/NEWS.d/next/Core_and_Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst b/Misc/NEWS.d/next/Core_and_Builtins/2025-04-16-12-01-13.gh-issue-127971.pMDOQ0.rst
@@ -0,0 +1 @@
+Fix off-by-one read beyond the end of a string in string search.
diff --git a/Objects/stringlib/fastsearch.h b/Objects/stringlib/fastsearch.h
@@ -595,7 +595,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                 continue;
             }
             /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
             else {
@@ -604,7 +604,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
         }
         else {
             /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
         }
@@ -668,7 +668,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
                 }
             }
             /* miss: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
             else {
@@ -677,7 +677,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,
         }
         else {
             /* skip: check if next character is part of pattern */
-            if (!STRINGLIB_BLOOM(mask, ss[i+1])) {
+            if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {
                 i = i + m;
             }
         }

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Fix off-by-one read beyond the end of a string in string search.`
Original file line number	Diff line number	Diff line change
`@@ -595,7 +595,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`595`	`595`	`continue;`
`596`	`596`	`}`
`597`	`597`	`/* miss: check if next character is part of pattern */`
`598`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`598`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`599`	`599`	`i = i + m;`
`600`	`600`	`}`
`601`	`601`	`else {`
`@@ -604,7 +604,7 @@ STRINGLIB(default_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`604`	`604`	`}`
`605`	`605`	`else {`
`606`	`606`	`/* skip: check if next character is part of pattern */`
`607`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`607`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`608`	`608`	`i = i + m;`
`609`	`609`	`}`
`610`	`610`	`}`
`@@ -668,7 +668,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`668`	`668`	`}`
`669`	`669`	`}`
`670`	`670`	`/* miss: check if next character is part of pattern */`
`671`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`671`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`672`	`672`	`i = i + m;`
`673`	`673`	`}`
`674`	`674`	`else {`
`@@ -677,7 +677,7 @@ STRINGLIB(adaptive_find)(const STRINGLIB_CHAR* s, Py_ssize_t n,`
`677`	`677`	`}`
`678`	`678`	`else {`
`679`	`679`	`/* skip: check if next character is part of pattern */`
`680`		`- if (!STRINGLIB_BLOOM(mask, ss[i+1])) {`
	`680`	`+ if (i + 1 <= w && !STRINGLIB_BLOOM(mask, ss[i+1])) {`
`681`	`681`	`i = i + m;`
`682`	`682`	`}`
`683`	`683`	`}`