SF Bug #1454485, array.array('u') could crash the interpreter when
passing a string. Martin already fixed the actual crash by ensuring
Py_UNICODE is unsigned. As discussed on python-dev, this fix
removes the possibility of creating a unicode string from a raw buffer.
There is an outstanding question of how to fix the crash in 2.4.
diff --git a/Misc/NEWS b/Misc/NEWS
index f397739..e75047c 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,13 @@
Core and builtins
-----------------
+- Bug #1454485, array.array('u') could crash the interpreter. This was
+ due to PyArgs_ParseTuple(args, 'u#', ...) trying to convert buffers (strings)
+ to unicode when it didn't make sense. 'u#' now requires a unicode string.
+
+- Py_UNICODE is unsigned. It was always documented as unsigned, but
+ due to a bug had a signed value in previous versions.
+
- Patch #837242: ``id()`` of any Python object always gives a positive
number now, which might be a long integer. ``PyLong_FromVoidPtr`` and
``PyLong_AsVoidPtr`` have been changed accordingly. Note that it has
diff --git a/Python/getargs.c b/Python/getargs.c
index e6f607a..5908e6b 100644
--- a/Python/getargs.c
+++ b/Python/getargs.c
@@ -1042,11 +1042,8 @@
STORE_SIZE(PyUnicode_GET_SIZE(arg));
}
else {
- char *buf;
- Py_ssize_t count = convertbuffer(arg, p, &buf);
- if (count < 0)
- return converterr(buf, arg, msgbuf, bufsize);
- STORE_SIZE(count/(sizeof(Py_UNICODE)));
+ return converterr("cannot convert raw buffers",
+ arg, msgbuf, bufsize);
}
format++;
} else {