[New-bugs-announce] [issue3845] memory access before short string when checking suffix
Matthias Klose
report at bugs.python.org
Fri Sep 12 14:11:56 CEST 2008
New submission from Matthias Klose <doko at debian.org>:
forwarded from https://launchpad.net/bugs/234798
Bug reporter writes:
Python/pythonrun.c's PyRun_SimpleFileExFlags() assumes the filename's
extension
starts four characters back from the end. But what if the filename is
only one
character long? Memory before the filename is referenced which is probably
outside the memory allocated for the string. Here's the relevant bits of
code,
boring lines deleted.
int
PyRun_SimpleFileExFlags(FILE *fp, const char *filename, int closeit,
PyCompilerFlags *flags)
{
ext = filename + strlen(filename) - 4;
if (maybe_pyc_file(fp, filename, ext, closeit)) {
if (strcmp(ext, ".pyo") == 0)
Py_OptimizeFlag = 1;
}
static int
maybe_pyc_file(FILE *fp, const char* filename, const char* ext, int
closeit)
{
if (strcmp(ext, ".pyc") == 0 || strcmp(ext, ".pyo") == 0)
return 1;
}
A trivial solution is:
len = strlen(filename);
ext = filename + len - len > 4 ? 4 : 0;
This will make ext point to the NUL terminator unless filename has room
for the desired /\.py[co]$/ suffix *and* at least one character
beforehand, since I don't suppose it's intended that ".pyo" is a valid
pyo file.
----------
components: Interpreter Core
messages: 73083
nosy: doko
severity: normal
status: open
title: memory access before short string when checking suffix
versions: Python 2.5, Python 2.6
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue3845>
_______________________________________
More information about the New-bugs-announce
mailing list