[issue15930] buffer overrun in wcstombs_errorpos()

Christian Heimes added the comment: Stefan, I agree with your analysis. With the terminating null wide char wcstombs will never read beyond the end of buf. -- resolution: -> invalid status: open -> closed ___ Python tracker

[issue15930] buffer overrun in wcstombs_errorpos()

Stefan Krah added the comment: I'm convinced that this is a false positive: size_t wcstombs(char *dest, const wchar_t *src, size_t n); We have: 1) buf[0] = *wstr and buf[1] = 0. So: 2) wcstombs(NULL, buf, 0) <= 4. Then the man page says: "... the programmer should mak

[issue15930] buffer overrun in wcstombs_errorpos()

Stefan Krah added the comment: buf[1] contains NUL if SIZE_OF_WCHAR_T is 4. The man page says: size_t wcstombs(char *dest, const wchar_t *src, size_t n) The conversion can stop for three reasons: 3. The wide-character string has been completely converted, including the terminating L'\0'.

[issue15930] buffer overrun in wcstombs_errorpos()

Christian Heimes added the comment: Georg, this issue might be security relevant and should be reviewed before the next release. -- nosy: +georg.brandl ___ Python tracker ___ __

[issue15930] buffer overrun in wcstombs_errorpos()

New submission from Christian Heimes: Coverity has found a buffer overrun in wcstombs_errorpos() defined at http://hg.python.org/cpython/file/25e41fdc4e60/Objects/unicodeobject.c#l3237 Message: CID 719672: Out-of-bounds access (OVERRUN)At (2): Overrunning array "buf" of 2 4-byte elements by pa