Message256254
I found this while writing up a separate bug (CPython doesn't use static analysis!).
In PC/launcher.c, get_env has a bug:
/* Large environment variable. Accept some leakage */
wchar_t *buf2 = (wchar_t*)malloc(sizeof(wchar_t) * (result+1));
if (buf2 = NULL) {
error(RC_NO_MEMORY, L"Could not allocate environment buffer");
}
GetEnvironmentVariableW(key, buf2, result);
return buf2;
See: https://hg.python.org/cpython/file/tip/PC/launcher.c#l117
Instead of `buf2 == NULL`, Vinay Sajip wrote `buf2 = NULL`. The commit where the error was introduced: https://hg.python.org/cpython/rev/4123e002a1af
Thus, whatever value was in buf2 is lost, the branch is NOT taken (because buf2 evaluates to false), and GetEnvironmentVariableW will (probably) cause an access violation.
Compiling with /analyze found this quite easily:
c:\pythondev\repo\pc\launcher.c(117): warning C6282: Incorrect operator: assignment of constant in Boolean context. Consider using '==' instead. |
|
Date |
User |
Action |
Args |
2015-12-12 04:33:27 | Alexander Riccio | set | recipients:
+ Alexander Riccio, paul.moore, vinay.sajip, tim.golden, zach.ware, steve.dower |
2015-12-12 04:33:27 | Alexander Riccio | set | messageid: <1449894807.83.0.191660385398.issue25844@psf.upfronthosting.co.za> |
2015-12-12 04:33:27 | Alexander Riccio | link | issue25844 messages |
2015-12-12 04:33:26 | Alexander Riccio | create | |
|