From 97eaf2b5e5c826b9abe59896a363853bef55c5d9 Mon Sep 17 00:00:00 2001
From: wmeehan <wmeehan@users.noreply.github.com>
Date: Thu, 27 Aug 2020 01:45:25 -0400
Subject: [PATCH] bpo-41524: fix pointer bug in PyOS_mystr{n}icmp (GH-21845)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* bpo-41524: fix pointer bug in PyOS_mystr{n}icmp

The existing implementations of PyOS_mystrnicmp and PyOS_mystricmp
can increment pointers beyond the end of a string.

This commit fixes those cases by moving the mutation out of the condition.

* 📜🤖 Added by blurb_it.

* Address comments

Co-authored-by: blurb-it[bot] <43283697+blurb-it[bot]@users.noreply.github.com>
---
 .../2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst   |  2 ++
 Python/pystrcmp.c                              | 18 +++++++++++-------
 2 files changed, 13 insertions(+), 7 deletions(-)
 create mode 100644 Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst

diff --git a/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst b/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst
new file mode 100644
index 00000000000..4704e29be29
--- /dev/null
+++ b/Misc/NEWS.d/next/C API/2020-08-12-17-09-06.bpo-41524.u6Xfr2.rst	
@@ -0,0 +1,2 @@
+Fix bug in PyOS_mystrnicmp and PyOS_mystricmp that incremented
+pointers beyond the end of a string.
\ No newline at end of file
diff --git a/Python/pystrcmp.c b/Python/pystrcmp.c
index f9c2277cb56..9224ce4c706 100644
--- a/Python/pystrcmp.c
+++ b/Python/pystrcmp.c
@@ -6,21 +6,25 @@
 int
 PyOS_mystrnicmp(const char *s1, const char *s2, Py_ssize_t size)
 {
+    const unsigned char *p1, *p2;
     if (size == 0)
         return 0;
-    while ((--size > 0) &&
-           (tolower((unsigned)*s1) == tolower((unsigned)*s2))) {
-        if (!*s1++ || !*s2++)
-            break;
+    p1 = (const unsigned char *)s1;
+    p2 = (const unsigned char *)s2;
+    for (; (--size > 0) && *p1 && *p2 && (tolower(*p1) == tolower(*p2));
+         p1++, p2++) {
+        ;
     }
-    return tolower((unsigned)*s1) - tolower((unsigned)*s2);
+    return tolower(*p1) - tolower(*p2);
 }
 
 int
 PyOS_mystricmp(const char *s1, const char *s2)
 {
-    while (*s1 && (tolower((unsigned)*s1++) == tolower((unsigned)*s2++))) {
+    const unsigned char *p1 = (const unsigned char *)s1;
+    const unsigned char *p2 = (const unsigned char *)s2;
+    for (; *p1 && *p2 && (tolower(*p1) == tolower(*p2)); p1++, p2++) {
         ;
     }
-    return (tolower((unsigned)*s1) - tolower((unsigned)*s2));
+    return (tolower(*p1) - tolower(*p2));
 }