[New-bugs-announce] [issue2587] PyString_FromStringAndSize() to be considered unsane

Justin Ferguson report at bugs.python.org
Tue Apr 8 17:49:07 CEST 2008

New submission from Justin Ferguson <justin.ferguson at ioactive.com>:

The PyString_FromStringAndSize() function takes a pointer and signed
integer as input parameters however it fails to adequately check the
sanity of the integer argument. Because of the failure to check for
negative values and because it sums the integer with the size of the
PyStringObject structure it becomes possible for the allocator to take
either of the code paths in PyObject_MALLOC()-- both of which will
incorrectly allocate memory.

This may not seem like a big deal, but I'm posting this instead of
filing a bug for every place this screws you guys over.

if (0 > len || len > PYSSIZE_T_MAX/sizeof(PyStringObject)) 
        return NULL;

components: Interpreter Core
messages: 65172
nosy: jnferguson
severity: normal
status: open
title: PyString_FromStringAndSize() to be considered unsane
type: security
versions: Python 2.5

Tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list