[issue23165] Heap overwrite in Python/fileutils.c:_Py_char2wchar() on 32 bit systems due to malloc parameter overflow
STINNER Victor
report at bugs.python.org
Sun Jan 4 23:20:02 CET 2015
STINNER Victor added the comment:
+ size_t argsize = strlen(arg) + 1;
+ if (argsize > PY_SSIZE_T_MAX/sizeof(wchar_t))
+ return NULL;
+ res = PyMem_Malloc(argsize*sizeof(wchar_t));
The code doesn't check for integer overflow on "+1". I suggest instead:
+ size_t arglen = strlen(arg);
+ if (arglen > PY_SSIZE_T_MAX / sizeof(wchar_t) - 1)
+ return NULL;
+ res = PyMem_Malloc((arglen + 1) * sizeof(wchar_t));
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23165>
_______________________________________
More information about the Python-bugs-list
mailing list