[issue2620] Multiple buffer overflows in unicode processing
Alexander Belopolsky
report at bugs.python.org
Mon Apr 14 05:29:33 CEST 2008
Alexander Belopolsky <belopolsky at users.sourceforge.net> added the comment:
On Sun, Apr 13, 2008 at 11:12 PM, Gregory P. Smith
<report at bugs.python.org> wrote:
..
> Here's a patch that fixes this by making both Python's malloc and
> realloc return NULL if (0 <= size <= PY_SSIZE_T_MAX).
>
This will not solve the original problem completely: multiplicative
overflow may produce size in the 0 to PY_SSIZE_T_MAX range.
Furthemore, malloc and realloc take unsigned arguments and I believe
there are cases when they are called with unsigned arguments in python
code. Using the proposed macro definitions in these cases will lead
to compiler warnings.
I don't object to limiting the allowed malloc/realoc size, but the
check should be expressed as unsigned comparison: (size_t)(n) >
(size_t)PY_SSIZE_T_MAX and multiplications by n > 2 should still be
checked for overflow before the result can be used for malloc.
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2620>
__________________________________
More information about the Python-bugs-list
mailing list