[issue2620] Multiple buffer overflows in unicode processing
Alexander Belopolsky
report at bugs.python.org
Sat Apr 12 06:18:46 CEST 2008
Alexander Belopolsky <belopolsky at users.sourceforge.net> added the comment:
The following simple change should be enough for this issue, but I would
consider implementing the overflow check in the PyMem_RESIZE and PyMem_NEW macros and de-deprecate their use.
===================================================================
--- Objects/unicodeobject.c (revision 62237)
+++ Objects/unicodeobject.c (working copy)
@@ -261,8 +261,8 @@
it contains). */
oldstr = unicode->str;
- unicode->str = PyObject_REALLOC(unicode->str,
- sizeof(Py_UNICODE) * (length + 1));
+ unicode->str = SIZE_MAX/sizeof(Py_UNICODE) - 1 < length ? NULL :
+ PyObject_REALLOC(unicode->str, sizeof(Py_UNICODE) * (length +
1));
if (!unicode->str) {
unicode->str = (Py_UNICODE *)oldstr;
PyErr_NoMemory();
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2620>
__________________________________
More information about the Python-bugs-list
mailing list