New submission from Serhiy Storchaka <storchaka+cpyt...@gmail.com>:
Format characters %s and %V in PyUnicode_FromFormat() and %s
PyBytes_FromFormat() allow to limit the number of bytes read from the argument.
For example PyUnicode_FromFormat("must be string, not '%.50s'",
obj->ob_type->tp_name) will use not more than 50 bytes from
obj->ob_type->tp_name for creating a message.
But while the number of bytes used for creating the resulting Unicode or bytes
object is limited, the current implementation can read past this limit. It uses
strlen() for searching the first null byte, and bounds the result to the
specified limit. If the input is not null terminated, this can cause a crash.
The proposed PR makes the code never reading past the specified limit.
----------
components: Interpreter Core
messages: 332289
nosy: serhiy.storchaka
priority: normal
severity: normal
status: open
title: Do not read memory past the specified limit in PyUnicode_FromFormat()
and PyBytes_FromFormat()
type: crash
versions: Python 2.7, Python 3.7, Python 3.8
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue35552>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
