bpo-34087: Fix buffer overflow in int(s) and similar functions (GH-8274) `_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char. It caused buffer overflow in `_Py_string_to_number_with_underscores()`. This bug is introduced in 9b6c60cb. (cherry picked from commit 16dfca4d829e45f36e71bf43f83226659ce49315) Co-authored-by: INADA Naoki <methane@users.noreply.github.com>

commit: c721472fb83d1f7c7606bcf33ba2d42d6127a764 [log] [tgz]
author: Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com> Fri Jul 13 20:58:12 2018 -0700
committer: GitHub <noreply@github.com> Fri Jul 13 20:58:12 2018 -0700
tree: 5423358bf1045bb2902ddbf92a772c2689146b35
parent: cf21d0031dd84544d4108765553c2b03dfe726c5 [diff] [blame]
diff --git a/Objects/unicodeobject.c b/Objects/unicodeobject.c
index d5e7d10..5d605ab 100644
--- a/Objects/unicodeobject.c
+++ b/Objects/unicodeobject.c

@@ -9076,6 +9076,7 @@
             int decimal = Py_UNICODE_TODECIMAL(ch);
             if (decimal < 0) {
                 out[i] = '?';
+                out[i+1] = '\0';
                 _PyUnicode_LENGTH(result) = i + 1;
                 break;
             }
@@ -9083,6 +9084,7 @@
         }
     }
 
+    assert(_PyUnicode_CheckConsistency(result, 1));
     return result;
 }
commit	c721472fb83d1f7c7606bcf33ba2d42d6127a764	[log] [tgz]
author	Miss Islington (bot) <31488909+miss-islington@users.noreply.github.com>	Fri Jul 13 20:58:12 2018 -0700
committer	GitHub <noreply@github.com>	Fri Jul 13 20:58:12 2018 -0700
tree	5423358bf1045bb2902ddbf92a772c2689146b35
parent	cf21d0031dd84544d4108765553c2b03dfe726c5 [diff] [blame]