With this script, re reads from an address beyond the 
end of the string.

>>> import re
>>> r = re.compile(r"\b1")
>>> print r.search('a', 1)

See assert() in the attached patch to see where 
incorrect memory reading occurs.
This patch looks fix the problem, but I'm not sure this is 
correct answer.

Logged In: YES 
user_id=21627

Gustavo, can your review this code?

Logged In: YES 
user_id=7887

Atsuo, can you please describe what problem you're trying to
fix!? In other words, can you provide some code which breaks
SRE?

Your assertion doesn't seem to make sense in this place,
since having ptr outside the boundaries of beginning/end
*is* accepted. Notice how "ptr < state->end" is checked
before using ptr[0].

I'm closing this bug as invalid. If you have something you
belive to prove there's a bug in this place, please reopen
this bug.

Thank you very much for taking the time to fill this bug.

Logged In: YES 
user_id=463672

Sorry for my lack of infomation.

While ptr outside the boundaries is legal, but fetching from 
there is
not. One example of problem is using SRE for mmap object. 
This script
causes an application error under my w2k box.

open("tstfile", "wb").write('a'*4096)
import mmap
f = open("tstfile", "rb")
xx = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
import re
r = re.compile(r"\b1")
r.search(xx, len(xx))

Logged In: YES 
user_id=7887

Now I can see the problem. The current test doesn't
contemplate a broken ptr/end pair. Your code is addressing
the right problem, but the right way to fix this seems to be
to avoid that branch completely, unless pattern[3] > 1
(unlike the current > 0).

Thank you very much for your patch and your insistence!

Logged In: YES 
user_id=7887

Fixed in Modules/_sre.c:2.99.

Thanks!

Logged In: YES 
user_id=33168

Gustavo, can you add a test case as well?  Thanks.