Boya Sun added the comment:
Gregory,
I discovered this bug by static analysis, so I do not have a system
that this bug is actually triggered. But I am happy to see the fix
applied since this makes code safer. It would be great if anyone could
write a test case that cause uid and gid to
Boya Sun added the comment:
Martin,
Corrected the patch accordingly. Can you verify whether the fix is
correct or not now?
Boya
--
Added file: http://bugs.python.org/file14900/patch_6873.diff
___
Python tracker
<http://bugs.python.org/issue6
Boya Sun added the comment:
Martin,
I am sorry that I do not have a system where this code actually
triggered a problem, since this bug is discovered by a *static* analysis
tool that is recently developed by our research group, which finds code
segments that are similar to a previously fixed
Boya Sun added the comment:
Victor,
I corrected both issues of the patch according to your first comment.
This patch did not fix the Windows implementation. It seems that there
will not be buffer overflow in the Windows implementation, since if the
buffer is small for GetCurrentDirectoryW
Changes by Boya Sun :
Removed file: http://bugs.python.org/file14869/patch.diff
___
Python tracker
<http://bugs.python.org/issue6873>
___
___
Python-bugs-list mailin
Boya Sun added the comment:
Martin,
The reason why I think there is a possible overflow is that according to
issue 5705, uid/gid overflows are fixed in the following functions:
posix_setegid, posix_setreuid(), posix_setregid(), posix_setgid(). So I
think a similar fix should also be applied to
Boya Sun added the comment:
Sorry, typo.
Created issue 6873 following Victor's suggestion.
--
___
Python tracker
<http://bugs.python.org/issue5705>
___
___
Boya Sun added the comment:
Created issue 6879 following Victor's suggestion.
--
___
Python tracker
<http://bugs.python.org/issue5705>
___
___
Python-bugs-l
New submission from Boya Sun :
posix_lchown(PyObject *self, PyObject *args)
{
...
int uid, gid;
...
if (!PyArg_ParseTuple(args, "etii:lchown",
Py_FileSystemDefaultEncoding, &path,
Boya Sun added the comment:
I am still a little bit confused. Can you explain a little more in
detail? What is the difference between the suspicious code and the ones
that are fixed?
--
___
Python tracker
<http://bugs.python.org/issue3
Boya Sun added the comment:
Amaury,
Created issue 6817 with a patch.
--
___
Python tracker
<http://bugs.python.org/issue2722>
___
___
Python-bugs-list mailin
New submission from Boya Sun :
This issue is similar to issue 2722 (http://bugs.python.org/issue2722#),
where the char buffer support that the path string has
not fixed length in the function posix_getcwd().
In the function posix_getcwdu(), the char buffer is still fix length. But
I think
Boya Sun added the comment:
In Python/pyarena.c:
block_new(size_t size)
{
/* Allocate header and block as one unit.
ab_mem points just past header. */
block *b = (block *)malloc(sizeof(block) + size);
...
}
Should a check for overflow of "size&quo
Boya Sun added the comment:
This bug occurred in posix_getcwd() and is being fixed.
Should the following code in posix_getcwdu() also be fixed the same way?
posix_getcwdu(PyObject *self, PyObject *noargs)
{
char buf[1026];
...
#if defined(PYOS_OS2) && defined(
Boya Sun added the comment:
Another potential bug discovered in posixmodule.c in the function
posix_lchown:
posix_lchown(PyObject *self, PyObject *args)
{
...
int uid, gid;
...
if (!PyArg_ParseTuple(args, "etii:l
Boya Sun added the comment:
Although the bug is fixed, the following three code segments seems
suspicious in _codecsmodule.c in the latest revision 74624, and they are
similar to the bug described here:
(1)
escape_decode(PyObject *self,
PyObject *args)
{
...
const char
16 matches
Mail list logo