DmitryJ added the comment:

Quick analysis tells this can be attributed to the following code (in 2.7):

Suppose i = 0, then s[i+m] causes OOB access when m=n. Note only one iteration 
is possible in case of m=n due to loop condition of i <= (w = n-m = 0). 
Theoretically, one can try disclosing one adjacent byte, but more likely 
results are nothing (or potentially invalid match result) or a potential crash 
in an unlucky case of s[m] hitting an unmapped page.

The same code lives in 3.2 (and likely any prior 3.x release), and 3.3 seems to 
be affected as well. 3.4 code has a modified version, but has the same problem 
(ss = s + m - 1; if (!STRINGLIB_BLOOM(mask, ss[i+1])) ...).

nosy: +dev_zzo

Python tracker <>
Python-bugs-list mailing list

Reply via email to