RE: buffer overlow in PC/getpathp.c
I would be happy to! Although I am happy to report that I believe it safe - I have been very careful of this from the time I wrote it.
What is the process? How formal should it be?
Not sure how formal it should be, but I would recommend you review uses of strcpy and convince yourself that the source string is never longer than the target buffer. I am not convinced. For example, in calculate_path(), char *pythonhome is initialized from an environment variable and thus has unknown length. Later it used in a strcpy(prefix, pythonhome), where prefix has a fixed length. This looks like a vulnerability than could be closed by using strncpy(prefix, pythonhome, MAXPATHLEN). The Unix version of this code had three or four vulnerabilities of this sort. So I imagine the Windows version has those too. I was imagining that the registry offered a whole new opportunity to provide unexpectedly long strings that could overflow buffers. Jeremy
target buffer. I am not convinced. For example, in calculate_path(), char *pythonhome is initialized from an environment variable and thus
Oh - ok - sorry. I was speaking from memory. From memory, I believe you will find the registry functions safe - but likely not the older environment based stuff, I agree. I will be happy to look into this. Mark.
[Me, responding to Jeremy's request I look for potential buffer exploits on Windows...]
I will be happy to look into this.
And was :-) If anyone has time over the next day or 2, any holes I either missed, or added(!) in http://sourceforge.net/patch/?func=detailpatch&patch_id=101801&group_id=547 0 would be appreciated! Thanks, Mark.
participants (2)
-
Jeremy Hylton -
Mark Hammond