[issue2588] PyOS_vsnprintf() underflow leads to memory corruption
Alexander Belopolsky
report at bugs.python.org
Wed Apr 9 03:11:57 CEST 2008
Alexander Belopolsky <belopolsky at users.sourceforge.net> added the comment:
As long as snprintf is used with a fixed size buffer using an idiom
snprintf(buffer, sizeof(buffer), ..)
there is no issue because sizeof(buffer) cannot be zero. AFAICT, this
is how python uses PyOS_vsnprintf wrapper.
On the other hand, may this is a good opportunity to revisit the
decision to make PyOS_vsnprintf semantics different from C99 vsnprintf.
C99 defines snprintf semantics as follows:
int snprintf(char *restrict s, size_t n,
const char *restrict format, ...);
The snprintf() function shall be equivalent to sprintf(), with the
addition of the n argument which states the size of the buffer referred
to by s. If n is zero, nothing shall be written and s may be a null
pointer. Otherwise, output bytes beyond the n-1st shall be discarded
instead of being written to the array, and a null byte is written at the
end of the bytes actually written into the array.
<http://www.opengroup.org/onlinepubs/000095399/functions/printf.html>
----------
nosy: +belopolsky
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2588>
__________________________________
More information about the Python-bugs-list
mailing list