From 1a92e15829d537646e71121f4f72d53a0f39dc89 Mon Sep 17 00:00:00 2001 From: Serhiy Storchaka Date: Tue, 23 Sep 2025 18:11:50 +0300 Subject: [PATCH] gh-130567: Fix possible crash in locale.strxfrm() (GH-138940) On some macOS versions there was an off-by-one error in wcsxfrm() which caused writing past the end of the array if its size was not calculated by running wcsxfrm() first. (cherry picked from commit 5854cf38a25ab8b0c6ab0296098166014f77caa3) Co-authored-by: Serhiy Storchaka Co-authored-by: Ronald Oussoren --- .../Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst | 2 ++ Modules/_localemodule.c | 4 +++- 2 files changed, 5 insertions(+), 1 deletion(-) create mode 100644 Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst diff --git a/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst b/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst new file mode 100644 index 00000000000000..c194b2331e5f4a --- /dev/null +++ b/Misc/NEWS.d/next/Library/2025-09-15-19-29-12.gh-issue-130567.shDEnT.rst @@ -0,0 +1,2 @@ +Fix possible crash in :func:`locale.strxfrm` due to a platform bug on +macOS. diff --git a/Modules/_localemodule.c b/Modules/_localemodule.c index 85d9062c0627f5..0af5a26f4bc461 100644 --- a/Modules/_localemodule.c +++ b/Modules/_localemodule.c @@ -446,7 +446,9 @@ _locale_strxfrm_impl(PyObject *module, PyObject *str) /* assume no change in size, first */ n1 = n1 + 1; - buf = PyMem_New(wchar_t, n1); + /* Yet another +1 is needed to work around a platform bug in wcsxfrm() + * on macOS. See gh-130567. */ + buf = PyMem_New(wchar_t, n1+1); if (!buf) { PyErr_NoMemory(); goto exit;