Message 65172 - Python tracker

Author	jnferguson
Recipients	jnferguson
Date	2008-04-08.15:49:03
SpamBayes Score	0.0636864
Marked as misclassified	No
Message-id	<1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
In-reply-to

Content
The PyString_FromStringAndSize() function takes a pointer and signed integer as input parameters however it fails to adequately check the sanity of the integer argument. Because of the failure to check for negative values and because it sums the integer with the size of the PyStringObject structure it becomes possible for the allocator to take either of the code paths in PyObject_MALLOC()-- both of which will incorrectly allocate memory. This may not seem like a big deal, but I'm posting this instead of filing a bug for every place this screws you guys over. if (0 > len \|\| len > PYSSIZE_T_MAX/sizeof(PyStringObject)) return NULL;

The PyString_FromStringAndSize() function takes a pointer and signed
integer as input parameters however it fails to adequately check the
sanity of the integer argument. Because of the failure to check for
negative values and because it sums the integer with the size of the
PyStringObject structure it becomes possible for the allocator to take
either of the code paths in PyObject_MALLOC()-- both of which will
incorrectly allocate memory.

This may not seem like a big deal, but I'm posting this instead of
filing a bug for every place this screws you guys over.

if (0 > len || len > PYSSIZE_T_MAX/sizeof(PyStringObject)) 
        return NULL;

History
Date	User	Action	Args
2008-04-08 15:49:08	jnferguson	set	spambayes_score: 0.0636864 -> 0.0636864 recipients: + jnferguson
2008-04-08 15:49:07	jnferguson	set	spambayes_score: 0.0636864 -> 0.0636864 messageid: <1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
2008-04-08 15:49:04	jnferguson	link	issue2587 messages
2008-04-08 15:49:03	jnferguson	create