Fix SF bug 599128, submitted by Inyeol Lee: .replace() would do the

wrong thing for a unicode subclass when there were zero string
replacements.  The example given in the SF bug report was only one way
to trigger this; replacing a string of length >= 2 that's not found is
another.  The code would actually write outside allocated memory if
replacement string was longer than the search string.

(I wonder how many more of these are lurking?  The unicode code base
is full of wonders.)

Bugfix candidate; this same bug is present in 2.2.1.
This commit is contained in:
Guido van Rossum 2002-08-23 18:50:21 +00:00
parent 8b1a6d694f
commit 2023c9b84a
2 changed files with 11 additions and 3 deletions

View file

@ -3534,10 +3534,16 @@ PyObject *replace(PyUnicodeObject *self,
n = count(self, 0, self->length, str1);
if (n > maxcount)
n = maxcount;
if (n == 0 && PyUnicode_CheckExact(self)) {
if (n == 0) {
/* nothing to replace, return original string */
Py_INCREF(self);
u = self;
if (PyUnicode_CheckExact(self)) {
Py_INCREF(self);
u = self;
}
else {
u = (PyUnicodeObject *)
PyUnicode_FromUnicode(self->str, self->length);
}
} else {
u = _PyUnicode_New(
self->length + n * (str2->length - str1->length));