Fix heap-buffer-overflow in pythonbuf with undersized buffers (#6019)

* Fix heap-buffer-overflow in pythonbuf with undersized buffers (gh-5886)

The _sync() UTF-8 remainder logic can leave pptr() past the end of
the allocated buffer when buf_size < 4: after moving up to 3 bytes
of an incomplete UTF-8 sequence to the front, pbump(remainder) pushes
pptr() beyond epptr() and the buffer boundary.  The next overflow()
then writes out of bounds.

Fix by clamping the buffer size to a minimum of 4 in the constructor,
ensuring the maximum UTF-8 remainder (3 bytes) plus the overflow slot
(1 byte) always fits within the allocated buffer.

Made-with: Cursor

* Avoid C++14 ODR-use linker error for minimum_buffer_size

std::max takes arguments by const&, which ODR-uses the static constexpr
member and requires an out-of-line definition in C++14. Replace with a
ternary expression that uses the value without taking its address.

Made-with: Cursor

Author: rwgk

include/pybind11/iostream.h

@@ -117,8 +117,16 @@ class pythonbuf : public std::streambuf {
     int sync() override { return _sync(); }
 
 public:
+    // Minimum buffer size must accommodate the largest incomplete UTF-8 sequence
+    // (3 bytes) plus one position reserved for overflow(), i.e. 4 bytes total.
+    static constexpr size_t minimum_buffer_size = 4;
+
     explicit pythonbuf(const object &pyostream, size_t buffer_size = 1024)
-        : buf_size(buffer_size), d_buffer(new char[buf_size]), pywrite(pyostream.attr("write")),
+        : buf_size(buffer_size < minimum_buffer_size // ternary avoids C++14 std::max ODR-use of
+                                                     // static constexpr
+                       ? minimum_buffer_size
+                       : buffer_size),
+          d_buffer(new char[buf_size]), pywrite(pyostream.attr("write")),
           pyflush(pyostream.attr("flush")) {
         setp(d_buffer.get(), d_buffer.get() + buf_size - 1);
     }