[Patches] fix bltinmodule.c for 64-bit platforms

Trent Mick trentm@activestate.com
Fri, 2 Jun 2000 17:22:39 -0700


Discussion:

Various small fixes to the builtin module to ensure no buffer overflows.

- chunk #1:
  Proper casting to ensure no truncation, and hence no surprises, in the
  comparison.

- chunk #2:
  The id() function guarantees a unique return value for different objects.
  It does this by returning the pointer to the object. By returning a PyInt,
  on Win64 (sizeof(long) < sizeof(void*)) the pointer is truncated and the
  guarantee may be proven false. The appropriate return function is
  PyLong_FromVoidPtr, this returns a PyLong if that is necessary to return
  the pointer without truncation.

- chunk #3:
  Ensure no overflow in raw_input(). Granted the user would have to pass in
  >2GB of data but it *is* a possible buffer overflow condition.



Legal:

I confirm that, to the best of my knowledge and belief, this
contribution is free of any claims of third parties under
copyright, patent or other rights or interests ("claims").  To
the extent that I have any such claims, I hereby grant to CNRI a
nonexclusive, irrevocable, royalty-free, worldwide license to
reproduce, distribute, perform and/or display publicly, prepare
derivative versions, and otherwise use this contribution as part
of the Python software and its related documentation, or any
derivative versions thereof, at no cost to CNRI or its licensed
users, and to authorize others to do so.

I acknowledge that CNRI may, at its sole discretion, decide
whether or not to incorporate this contribution in the Python
software and its related documentation.  I further grant CNRI
permission to use my name and other identifying information
provided to CNRI by me for use in connection with the Python
software and its related documentation.




Patch (use 'patch -p8'):

diff  -c /home/trentm/main/contrib/python/dist/src/Python/bltinmodule.c /home/trentm/main/Apps/Perlium/Python/dist/src/Python/bltinmodule.c
*** /home/trentm/main/contrib/python/dist/src/Python/bltinmodule.c	Thu Jun  1 00:13:40 2000
--- /home/trentm/main/Apps/Perlium/Python/dist/src/Python/bltinmodule.c	Fri Jun  2 15:53:44 2000
***************
*** 832,838 ****
  		return NULL;
  	}
  	str = PyString_AsString(cmd);
! 	if ((int)strlen(str) != PyString_Size(cmd)) {
  		PyErr_SetString(PyExc_ValueError,
  			   "embedded '\\0' in string arg");
  		return NULL;
--- 832,838 ----
  		return NULL;
  	}
  	str = PyString_AsString(cmd);
! 	if (strlen(str) != (size_t)PyString_Size(cmd)) {
  		PyErr_SetString(PyExc_ValueError,
  			   "embedded '\\0' in string arg");
  		return NULL;
***************
*** 985,991 ****
  
  	if (!PyArg_ParseTuple(args, "O:id", &v))
  		return NULL;
! 	return PyInt_FromLong((long)v);
  }
  
  static char id_doc[] =
--- 985,991 ----
  
  	if (!PyArg_ParseTuple(args, "O:id", &v))
  		return NULL;
! 	return PyLong_FromVoidPtr(v);
  }
  
  static char id_doc[] =
***************
*** 1873,1879 ****
  			result = NULL;
  		}
  		else { /* strip trailing '\n' */
! 			result = PyString_FromStringAndSize(s, strlen(s)-1);
  		}
  		PyMem_FREE(s);
  		return result;
--- 1873,1886 ----
  			result = NULL;
  		}
  		else { /* strip trailing '\n' */
! 			size_t len = strlen(s);
! 			if (len > INT_MAX) {
! 				PyErr_SetString(PyExc_OverflowError, "input too long");
! 				result = NULL;
! 			}
! 			else {
! 				result = PyString_FromStringAndSize(s, (int)(len-1));
! 			}
  		}
  		PyMem_FREE(s);
  		return result;

-- 
Trent Mick
trentm@activestate.com