[3.13] gh-148093: Raise binascii.Error from binascii.a2b_uu() on empty input (GH-149077) (GH-149349)

Instead of reading past the end of the empty buffer. (cherry picked from commit 0c6d2f64c0) Co-authored-by: Maurycy Pawłowski-Wieroński <maurycy@maurycy.com>
2026-05-06 04:37:33 -04:00 · 2026-05-04 12:06:25 +02:00
parent d82d5c2ddb
commit 023ecbd01f
3 changed files with 17 additions and 0 deletions
@@ -240,6 +240,10 @@ class BinASCIITest(unittest.TestCase):
        self.assertEqual(binascii.a2b_uu(b"\xff"), b"\x00"*31)
        self.assertRaises(binascii.Error, binascii.a2b_uu, b"\xff\x00")
        self.assertRaises(binascii.Error, binascii.a2b_uu, b"!!!!")
+        self.assertRaises(binascii.Error, binascii.a2b_uu,
+                          self.type2test(b""))
+        self.assertRaises(binascii.Error, binascii.a2b_uu,
+                          self.type2test(b"#86)C")[:0])
        self.assertRaises(binascii.Error, binascii.b2a_uu, 46*b"!")

        # Issue #7701 (crash on a pydebug build)
@@ -447,6 +451,9 @@ class BinASCIITest(unittest.TestCase):
                binascii.crc_hqx(empty, 0)
                continue
            f = getattr(binascii, func)
+            if func == 'a2b_uu':
+                self.assertRaises(binascii.Error, f, empty)
+                continue
            try:
                f(empty)
            except Exception as err:
@@ -0,0 +1,2 @@
+Fix an out-of-bounds read of one byte in :func:`binascii.a2b_uu`. Raise
+:exc:`binascii.Error`, instead of reading past the buffer end.
@@ -219,6 +219,14 @@ binascii_a2b_uu_impl(PyObject *module, Py_buffer *data)
    assert(ascii_len >= 0);

    /* First byte: binary data length (in bytes) */
+    if (ascii_len == 0) {
+        state = get_binascii_state(module);
+        if (state == NULL) {
+            return NULL;
+        }
+        PyErr_SetString(state->Error, "Missing length byte");
+        return NULL;
+    }
    bin_len = (*ascii_data++ - ' ') & 077;
    ascii_len--;