This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author christian.heimes
Recipients benjamin.peterson, christian.heimes, ezio.melotti, lemburg, pitrou, serhiy.storchaka, vstinner
Date 2015-04-18.22:32:37
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1429396358.28.0.910833101692.issue23997@psf.upfronthosting.co.za>
In-reply-to
Content 
Coverity has found a potential buffer overflow in the unicodedata module. The function call _getcode() which calls _cmpname(). _cmpname() copies data into fixed size buffer of length NAME_MAXLEN. Neither lookup() nor _getcode() limit name_length to NAME_MAXLEN. Therefore the buffer could theoretical overflow.

In practice the buffer overflow can't be abused because Tools/unicode/makeunicodedata.py already limits max name length. I still like to fix the bug because it is a low hanging fruit. In most versions of Python the code already checks that name_length fits in INT_MAX.

CID 1295028 (#1 of 1): Out-of-bounds access (OVERRUN)
overrun-call: Overrunning callee's array of size 256 by passing argument (int)name_length (which evaluates to 2147483647) in call to _getcode
History
Date User Action Args
2015-04-18 22:32:38christian.heimessetrecipients: + christian.heimes, lemburg, pitrou, vstinner, benjamin.peterson, ezio.melotti, serhiy.storchaka
2015-04-18 22:32:38christian.heimessetmessageid: <1429396358.28.0.910833101692.issue23997@psf.upfronthosting.co.za>
2015-04-18 22:32:38christian.heimeslinkissue23997 messages
2015-04-18 22:32:37christian.heimescreate