Backport r58709 from trunk:

Backport fixes for the code that decodes octal escapes (and for PyString
also hex escapes) -- this was reaching beyond the end of the input string
buffer, even though it is not supposed to be \0-terminated.
This has no visible effect but is clearly the correct thing to do.
(In 3.0 it had a visible effect after removing ob_sstate from PyString.)
Also fixes #1098.

Objects/stringobject.c

@@ -616,16 +616,18 @@ PyObject *PyString_DecodeEscape(const char *s,
 		case '0': case '1': case '2': case '3':
 		case '4': case '5': case '6': case '7':
 			c = s[-1] - '0';
-			if ('0' <= *s && *s <= '7') {
+			if (s < end && '0' <= *s && *s <= '7') {
 				c = (c<<3) + *s++ - '0';
-				if ('0' <= *s && *s <= '7')
+				if (s < end && '0' <= *s && *s <= '7')
 					c = (c<<3) + *s++ - '0';
 			}
 			*p++ = c;
 			break;
 		case 'x':
-			if (isxdigit(Py_CHARMASK(s[0]))
-			    && isxdigit(Py_CHARMASK(s[1]))) {
+			if (s+1 < end &&
+                            isxdigit(Py_CHARMASK(s[0])) &&
+			    isxdigit(Py_CHARMASK(s[1])))
+                        {
 				unsigned int x = 0;
 				c = Py_CHARMASK(*s);
 				s++;

Objects/unicodeobject.c

@@ -1813,7 +1813,10 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
         startinpos = s-starts;
         /* \ - Escapes */
         s++;
-        switch (*s++) {
+        c = *s++;
+        if (s > end)
+            c = '\0'; /* Invalid after \ */
+        switch (c) {
 
         /* \x escapes */
         case '\n': break;
@@ -1832,9 +1835,9 @@ PyObject *PyUnicode_DecodeUnicodeEscape(const char *s,
         case '0': case '1': case '2': case '3':
         case '4': case '5': case '6': case '7':
             x = s[-1] - '0';
-            if ('0' <= *s && *s <= '7') {
+            if (s < end && '0' <= *s && *s <= '7') {
                 x = (x<<3) + *s++ - '0';
-                if ('0' <= *s && *s <= '7')
+                if (s < end && '0' <= *s && *s <= '7')
                     x = (x<<3) + *s++ - '0';
             }
             *p++ = x;