in scan_once, prevent the reading of arbitrary memory when passed a negative index

Bug reported by Guido Vranken.

Lib/test/json_tests/test_decode.py

@@ -70,5 +70,9 @@ class TestDecode:
         msg = 'escape'
         self.assertRaisesRegex(ValueError, msg, self.loads, s)
 
+    def test_negative_index(self):
+        d = self.json.JSONDecoder()
+        self.assertRaises(ValueError, d.raw_decode, 'a'*42, -50000)
+
 class TestPyDecode(TestDecode, PyTest): pass
 class TestCDecode(TestDecode, CTest): pass

Misc/ACKS

@@ -1139,6 +1139,7 @@ Frank Visser
 Johannes Vogel
 Martijn Vries
 Sjoerd de Vries
+Guido Vranken
 Niki W. Waibel
 Wojtek Walczak
 Charles Waldman

Misc/NEWS

@@ -10,6 +10,9 @@ What's New in Python 3.2.6?
 Library
 -------
 
+- Fix arbitrary memory access in JSONDecoder.raw_decode with a negative second
+  parameter. Bug reported by Guido Vranken.
+
 - Issue #21082: In os.makedirs, do not set the process-wide umask. Note this
   changes behavior of makedirs when exist_ok=True.
 

Modules/_json.c

@@ -930,7 +930,10 @@ scan_once_unicode(PyScannerObject *s, PyObject *pystr, Py_ssize_t idx, Py_ssize_
     PyObject *res;
     Py_UNICODE *str = PyUnicode_AS_UNICODE(pystr);
     Py_ssize_t length = PyUnicode_GET_SIZE(pystr);
-    if (idx >= length) {
+    if (idx < 0)
+        /* Compatibility with Python version. */
+        idx += length;
+    if (idx < 0 || idx >= length) {
         PyErr_SetNone(PyExc_StopIteration);
         return NULL;
     }