SF Bug #1454485, array.array('u') could crash the interpreter when

passing a string.  Martin already fixed the actual crash by ensuring
Py_UNICODE is unsigned.  As discussed on python-dev, this fix
removes the possibility of creating a unicode string from a raw buffer.

There is an outstanding question of how to fix the crash in 2.4.

Misc/NEWS

@@ -12,6 +12,13 @@ What's New in Python 2.5 alpha 2?
 Core and builtins
 -----------------
 
+- Bug #1454485, array.array('u') could crash the interpreter.  This was
+  due to PyArgs_ParseTuple(args, 'u#', ...) trying to convert buffers (strings)
+  to unicode when it didn't make sense.  'u#' now requires a unicode string.
+
+- Py_UNICODE is unsigned.  It was always documented as unsigned, but
+  due to a bug had a signed value in previous versions.
+
 - Patch #837242: ``id()`` of any Python object always gives a positive
   number now, which might be a long integer. ``PyLong_FromVoidPtr`` and
   ``PyLong_AsVoidPtr`` have been changed accordingly.  Note that it has

Python/getargs.c

@@ -1042,11 +1042,8 @@ convertsimple(PyObject *arg, const char **p_format, va_list *p_va, int flags,
 				STORE_SIZE(PyUnicode_GET_SIZE(arg));
 			}
 			else {
-			char *buf;
+				return converterr("cannot convert raw buffers",
-			Py_ssize_t count = convertbuffer(arg, p, &buf);
+						  arg, msgbuf, bufsize);
-			if (count < 0)
-				return converterr(buf, arg, msgbuf, bufsize);
-			STORE_SIZE(count/(sizeof(Py_UNICODE))); 
 			}
 			format++;
 		} else {