[Python-checkins] CVS: python/dist/src/Python bltinmodule.c,2.162,2.163

Guido van Rossum python-dev@python.org
Wed, 28 Jun 2000 14:12:28 -0700 

Update of /cvsroot/python/python/dist/src/Python
In directory slayer.i.sourceforge.net:/tmp/cvs-serv3006

Modified Files:
	bltinmodule.c 
Log Message:
Trent Mick:

Various small fixes to the builtin module to ensure no buffer
overflows.

- chunk #1: 
Proper casting to ensure no truncation, and hence no surprises, in the
comparison.

- chunk #2: 
The id() function guarantees a unique return value for different
objects.  It does this by returning the pointer to the object. By
returning a PyInt, on Win64 (sizeof(long) < sizeof(void*)) the pointer
is truncated and the guarantee may be proven false. The appropriate
return function is PyLong_FromVoidPtr, this returns a PyLong if that
is necessary to return the pointer without truncation.

[GvR: note that this means that id() can now return a long on Win32
platforms.  This *might* break some code...]

- chunk #3: 
Ensure no overflow in raw_input(). Granted the user would have to pass
in >2GB of data but it *is* a possible buffer overflow condition.


Index: bltinmodule.c
===================================================================
RCS file: /cvsroot/python/python/dist/src/Python/bltinmodule.c,v
retrieving revision 2.162
retrieving revision 2.163
diff -C2 -r2.162 -r2.163
*** bltinmodule.c	2000/06/20 04:54:19	2.162
--- bltinmodule.c	2000/06/28 21:12:25	2.163
***************
*** 833,837 ****
  	}
  	str = PyString_AsString(cmd);
! 	if ((int)strlen(str) != PyString_Size(cmd)) {
  		PyErr_SetString(PyExc_ValueError,
  			   "embedded '\\0' in string arg");
--- 833,837 ----
  	}
  	str = PyString_AsString(cmd);
! 	if (strlen(str) != (size_t)PyString_Size(cmd)) {
  		PyErr_SetString(PyExc_ValueError,
  			   "embedded '\\0' in string arg");
***************
*** 986,990 ****
  	if (!PyArg_ParseTuple(args, "O:id", &v))
  		return NULL;
! 	return PyInt_FromLong((long)v);
  }
  
--- 986,990 ----
  	if (!PyArg_ParseTuple(args, "O:id", &v))
  		return NULL;
! 	return PyLong_FromVoidPtr(v);
  }
  
***************
*** 1874,1878 ****
  		}
  		else { /* strip trailing '\n' */
! 			result = PyString_FromStringAndSize(s, strlen(s)-1);
  		}
  		PyMem_FREE(s);
--- 1874,1885 ----
  		}
  		else { /* strip trailing '\n' */
! 			size_t len = strlen(s);
! 			if (len > INT_MAX) {
! 				PyErr_SetString(PyExc_OverflowError, "input too long");
! 				result = NULL;
! 			}
! 			else {
! 				result = PyString_FromStringAndSize(s, (int)(len-1));
! 			}
  		}
  		PyMem_FREE(s);