[issue2620] Multiple buffer overflows in unicode processing

Alexander Belopolsky report at bugs.python.org
Sat Apr 12 06:18:46 CEST 2008


Alexander Belopolsky <belopolsky at users.sourceforge.net> added the comment:

The following simple change should be enough for this issue, but I would 
consider implementing the overflow check in the PyMem_RESIZE and PyMem_NEW macros and de-deprecate their use.

===================================================================
--- Objects/unicodeobject.c     (revision 62237)
+++ Objects/unicodeobject.c     (working copy)
@@ -261,8 +261,8 @@
        it contains). */
 
     oldstr = unicode->str;
-    unicode->str = PyObject_REALLOC(unicode->str,
-                                   sizeof(Py_UNICODE) * (length + 1));
+    unicode->str = SIZE_MAX/sizeof(Py_UNICODE) - 1 < length ? NULL :
+        PyObject_REALLOC(unicode->str, sizeof(Py_UNICODE) * (length + 
1));
     if (!unicode->str) {
        unicode->str = (Py_UNICODE *)oldstr;
         PyErr_NoMemory();

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2620>
__________________________________


More information about the Python-bugs-list mailing list