This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: Missing Sanity Check for malloc() in PC/_msi.c
Type: behavior Stage: resolved
Components: Windows Versions: Python 3.8, Python 3.7, Python 3.6, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: ZackerySpytz, berker.peksag, dogbert2, miss-islington, steve.dower, tim.golden, zach.ware
Priority: normal Keywords: patch

Created on 2015-04-02 22:11 by dogbert2, last changed 2022-04-11 14:58 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
_msi.c.patch dogbert2, 2015-04-02 22:11 Patch File (diff -u) for this bug
_msi.c.patch dogbert2, 2015-04-06 16:58 Updated patch file for first bug report
Pull Requests
URL Status Linked Edit
PR 9038 merged ZackerySpytz, 2018-09-03 04:32
PR 9110 merged miss-islington, 2018-09-07 22:03
PR 9115 merged miss-islington, 2018-09-08 10:51
PR 9116 merged miss-islington, 2018-09-08 10:51
Messages (7)
msg239948 - (view) Author: Bill Parker (dogbert2) * Date: 2015-04-02 22:11 
Hello All,

   In reviewing code in Python-3.4.3/PC/_msi.c, I found a call to malloc() at line 326 in function 'static PyObject* msierror(int status)' in which the call is made and assigned to variable 'res', but no check for NULL, indicating failure is made afterwards.  The patch below corrects this issue:

--- _msi.c.orig 2015-04-02 15:01:02.882326352 -0700
+++ _msi.c      2015-04-02 15:02:43.382099357 -0700
@@ -324,6 +324,10 @@
     code = MsiRecordGetInteger(err, 1); /* XXX code */
     if (MsiFormatRecord(0, err, res, &size) == ERROR_MORE_DATA) {
         res = malloc(size+1);
+       if (res == NULL) /* malloc() failed, out of memory... */
+           PyErr_SetString(MSIError, "out of memory");
+           return NULL;
+       }
         MsiFormatRecord(0, err, res, &size);
         res[size]='\0';
     }
msg240159 - (view) Author: Bill Parker (dogbert2) * Date: 2015-04-06 16:58 
In directory 'PC', file '_msi.c', I found another call to
malloc() which was not checked for a return value of NULL
which would indicate failure.  The new patch file is below:

--- _msi.c.orig 2015-04-02 15:01:02.882326352 -0700
+++ _msi.c      2015-04-04 16:36:56.919605881 -0700
@@ -324,6 +324,10 @@
     code = MsiRecordGetInteger(err, 1); /* XXX code */
     if (MsiFormatRecord(0, err, res, &size) == ERROR_MORE_DATA) {
         res = malloc(size+1);
+       if (res == NULL) /* malloc() failed, out of memory... */
+           PyErr_SetString(MSIError, "out of memory");
+           return NULL;
+       }
         MsiFormatRecord(0, err, res, &size);
         res[size]='\0';
     }
@@ -547,6 +551,10 @@
         &fval, sval, &ssize);
     if (status == ERROR_MORE_DATA) {
         sval = malloc(ssize);
+       if (sval == NULL) { /* malloc() failed, out of memory... */
+           PyErr_SetString(MSIError, "out of memory");
+           return NULL;
+       }
         status = MsiSummaryInfoGetProperty(si->h, field, &type, &ival,
             &fval, sval, &ssize);
     }
msg324492 - (view) Author: Zackery Spytz (ZackerySpytz) * (Python triager) Date: 2018-09-03 04:31 
The suggested patch is not acceptable: MemoryError should be raised in the unlikely event of a malloc() failure, there's a missing call to MsiCloseHandle(), the use of tabs violates PEP 7, and there's a blatant syntax error.
msg324803 - (view) Author: Berker Peksag (berker.peksag) * (Python committer) Date: 2018-09-07 22:02 
New changeset 4e519377b1b84c9414a360961276993d24198825 by Berker Peksag (Zackery Spytz) in branch 'master':
bpo-23855: Add missing NULL checks for malloc() in _msi.c (GH-9038)
https://github.com/python/cpython/commit/4e519377b1b84c9414a360961276993d24198825
msg324808 - (view) Author: miss-islington (miss-islington) Date: 2018-09-07 22:15 
New changeset 73994077250bd70385cb8e7a92f24874129369d1 by Miss Islington (bot) in branch '3.7':
bpo-23855: Add missing NULL checks for malloc() in _msi.c (GH-9038)
https://github.com/python/cpython/commit/73994077250bd70385cb8e7a92f24874129369d1
msg324934 - (view) Author: miss-islington (miss-islington) Date: 2018-09-10 16:41 
New changeset f51a46631f8dcca596c08a934a766da9afe93c06 by Miss Islington (bot) in branch '2.7':
bpo-23855: Add missing NULL checks for malloc() in _msi.c (GH-9038)
https://github.com/python/cpython/commit/f51a46631f8dcca596c08a934a766da9afe93c06
msg324935 - (view) Author: miss-islington (miss-islington) Date: 2018-09-10 16:41 
New changeset 8a0c254fdd68cfafede168356fc5c5c3e372bc3f by Miss Islington (bot) in branch '3.6':
bpo-23855: Add missing NULL checks for malloc() in _msi.c (GH-9038)
https://github.com/python/cpython/commit/8a0c254fdd68cfafede168356fc5c5c3e372bc3f
History
Date User Action Args
2022-04-11 14:58:15adminsetgithub: 68043
2018-09-11 06:52:17ZackerySpytzsetversions: + Python 2.7, Python 3.6
2018-09-10 16:41:36miss-islingtonsetmessages: + msg324935
2018-09-10 16:41:16miss-islingtonsetmessages: + msg324934
2018-09-08 10:51:33miss-islingtonsetpull_requests: + pull_request8569
2018-09-08 10:51:22miss-islingtonsetpull_requests: + pull_request8568
2018-09-08 01:59:29berker.peksagsetstatus: open -> closed
stage: patch review -> resolved
resolution: fixed
versions: - Python 2.7, Python 3.6
2018-09-07 22:15:33miss-islingtonsetnosy: + miss-islington
messages: + msg324808
2018-09-07 22:03:10miss-islingtonsetpull_requests: + pull_request8564
2018-09-07 22:02:59berker.peksagsetnosy: + berker.peksag
messages: + msg324803
2018-09-03 04:32:51ZackerySpytzsetstage: patch review
pull_requests: + pull_request8499
2018-09-03 04:31:26ZackerySpytzsetnosy: + ZackerySpytz

messages: + msg324492
versions: + Python 2.7, Python 3.6, Python 3.7, Python 3.8, - Python 3.4
2015-04-06 16:58:35dogbert2setfiles: + _msi.c.patch

messages: + msg240159
2015-04-02 22:11:43dogbert2create