Bugs item #1576861, was opened at 2006-10-13 22:06
Message generated for change (Tracker Item Submitted) made by Item Submitter
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470
Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Jochen Voss (jvoss2)
Assigned to: Nobody/Anonymous (nobody)
Summary: potential buffer overflow in complexobject.c
Initial Comment:
python version 2.4.3
Hello,
recently I came across the following bit of code in the
source file Objects/complexobject.c:
static void
complex_to_buf(char *buf, int bufsz, PyComplexObject
*v, int precision)
{
char format[32];
if (v->cval.real == 0.) {
PyOS_snprintf(format, 32, "%%.%ig",
precision);
PyOS_ascii_formatd(buf, bufsz, format,
v->cval.imag);
strncat(buf, "j", bufsz);
The strncat statement in the last line is potentially
unsafe: the size argument of strncat determines how
many characters are to be added maxmimally and not how
large the buffer is in total. Also there needs to be
space for an additional '\0' byte.
This seems currently not exploitable, because the
function 'complex_to_buf' is always called with a large
enough buffer, but it should be fixed any way (for
example to make sure that nobody copies this code for
use in another context).
I hope this helps,
Jochen
----------------------------------------------------------------------
You can respond by visiting:
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
