[Python-Dev] RE: buffer overlow in PC/getpathp.c

[Jeremy Hylton]

>I would be happy to!  Although I am happy to report that I believe it
>safe - I have been very careful of this from the time I wrote it.
>
>What is the process?  How formal should it be?

Not sure how formal it should be, but I would recommend you review uses of
strcpy and convince yourself that the source string is never longer than the
target buffer.  I am not convinced.  For example, in calculate_path(), char
*pythonhome is initialized from an environment variable and thus has unknown
length.  Later it used in a strcpy(prefix, pythonhome), where prefix has a
fixed length.  This looks like a vulnerability than could be closed by using
strncpy(prefix, pythonhome, MAXPATHLEN).

The Unix version of this code had three or four vulnerabilities of this
sort.  So I imagine the Windows version has those too.  I was imagining that
the registry offered a whole new opportunity to provide unexpectedly long
strings that could overflow buffers.

Jeremy