[issue2620] Multiple buffer overflows in unicode processing
Marc-Andre Lemburg
report at bugs.python.org
Sat Apr 12 01:29:30 CEST 2008
Marc-Andre Lemburg <mal at egenix.com> added the comment:
You are probably referring to 32-bit platforms. At least on 64-bit
platforms, there's no problem with your test cases:
>>> # this is to get the unicode_freelist initialized
... # the length of the string must be <= 9 to keep
... # unicode->str from being deallocated and set to
... # NULL
... bla = unicode('IOActive')
>>> del bla
>>>
>>>
>>> msg = 'A'*2147483647
>>>
>>> msg.decode('utf7')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError
The code does check for success of the realloc():
PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);
if (!unicode->str) {
unicode->str = (Py_UNICODE *)oldstr;
PyErr_NoMemory();
return -1;
}
Are you after the integer overflow and the fact that realloc() would (if
possible) allocate a buffer smaller than needed ?
----------
nosy: +lemburg
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2620>
__________________________________
More information about the Python-bugs-list
mailing list