[ python-Bugs-1576861 ] potential buffer overflow in complexobject.c

Thu, 19 Oct 2006 23:41:19 -0700 

Bugs item #1576861, was opened at 2006-10-13 21:06
Message generated for change (Settings changed) made by gbrandl
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: Python 2.4
>Status: Pending
Resolution: None
Priority: 5
Submitted By: Jochen Voss (jvoss2)
Assigned to: Nobody/Anonymous (nobody)
Summary: potential buffer overflow in complexobject.c

Initial Comment:
python version 2.4.3

Hello,

recently I came across the following bit of code in the
source file Objects/complexobject.c:

static void
complex_to_buf(char *buf, int bufsz, PyComplexObject
*v, int precision)
{
        char format[32];
        if (v->cval.real == 0.) {
                PyOS_snprintf(format, 32, "%%.%ig",
precision);
                PyOS_ascii_formatd(buf, bufsz, format,
v->cval.imag);
                strncat(buf, "j", bufsz);

The strncat statement in the last line is potentially
unsafe: the size argument of strncat determines how
many characters are to be added maxmimally and not how
large the buffer is in total.  Also there needs to be
space for an additional '\0' byte.

This seems currently not exploitable, because the
function 'complex_to_buf' is always called with a large
enough buffer, but it should be fixed any way (for
example to make sure that nobody copies this code for
use in another context).

I hope this helps,
Jochen


----------------------------------------------------------------------

Comment By: A.M. Kuchling (akuchling)
Date: 2006-10-19 21:44

Message:
Logged In: YES 
user_id=11375

I believe this is fixed in Python 2.4.4 and Python 2.5; a
static analysis tool reported the problem.   Please take a
look at the current trunk version at
http://svn.python.org/view/python/trunk/Objects/complexobject.c?rev=50679&view=log,
and see if the code seems safe now.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470
_______________________________________________
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to