[Python-Dev] PyErr_Format security note

[A.M. Kuchling]

I noticed this in PyErr_Format(exception, format, va_alist):

	char buffer[500]; /* Caller is responsible for limiting the format */
	...
	vsprintf(buffer, format, vargs);

Making the caller responsible for this is error-prone.  The danger, of
course, is a buffer overflow caused by generating an error string
that's larger than the buffer, possibly letting people execute
arbitrary code.  We could add a test to the configure script for
vsnprintf() and use it when possible, but that only fixes the problem
on platforms which have it.  Can we find an implementation of
vsnprintf() someplace?

-- 
A.M. Kuchling			http://starship.python.net/crew/amk/
One form to rule them all, one form to find them, one form to bring them all
and in the darkness rewrite the hell out of them.
    -- Digital Equipment Corporation, in a comment from SENDMAIL Ruleset 3