[ python-Bugs-1576861 ] potential buffer overflow in complexobject.c

SourceForge.net noreply at sourceforge.net
Thu Oct 19 23:44:46 CEST 2006 

Bugs item #1576861, was opened at 2006-10-13 17:06
Message generated for change (Comment added) made by akuchling
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Interpreter Core
Group: Python 2.4
Status: Open
Resolution: None
Priority: 5
Submitted By: Jochen Voss (jvoss2)
Assigned to: Nobody/Anonymous (nobody)
Summary: potential buffer overflow in complexobject.c

Initial Comment:
python version 2.4.3

Hello,

recently I came across the following bit of code in the
source file Objects/complexobject.c:

static void
complex_to_buf(char *buf, int bufsz, PyComplexObject
*v, int precision)
{
        char format[32];
        if (v->cval.real == 0.) {
                PyOS_snprintf(format, 32, "%%.%ig",
precision);
                PyOS_ascii_formatd(buf, bufsz, format,
v->cval.imag);
                strncat(buf, "j", bufsz);

The strncat statement in the last line is potentially
unsafe: the size argument of strncat determines how
many characters are to be added maxmimally and not how
large the buffer is in total.  Also there needs to be
space for an additional '\0' byte.

This seems currently not exploitable, because the
function 'complex_to_buf' is always called with a large
enough buffer, but it should be fixed any way (for
example to make sure that nobody copies this code for
use in another context).

I hope this helps,
Jochen


----------------------------------------------------------------------

>Comment By: A.M. Kuchling (akuchling)
Date: 2006-10-19 17:44

Message:
Logged In: YES 
user_id=11375

I believe this is fixed in Python 2.4.4 and Python 2.5; a
static analysis tool reported the problem.   Please take a
look at the current trunk version at
http://svn.python.org/view/python/trunk/Objects/complexobject.c?rev=50679&view=log,
and see if the code seems safe now.


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1576861&group_id=5470

More information about the Python-bugs-list mailing list