This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author jnferguson
Recipients jnferguson
Date 2008-04-08.15:49:03
SpamBayes Score 0.06368636
Marked as misclassified No
Message-id <1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
In-reply-to
Content 
The PyString_FromStringAndSize() function takes a pointer and signed
integer as input parameters however it fails to adequately check the
sanity of the integer argument. Because of the failure to check for
negative values and because it sums the integer with the size of the
PyStringObject structure it becomes possible for the allocator to take
either of the code paths in PyObject_MALLOC()-- both of which will
incorrectly allocate memory.

This may not seem like a big deal, but I'm posting this instead of
filing a bug for every place this screws you guys over.

if (0 > len || len > PYSSIZE_T_MAX/sizeof(PyStringObject)) 
        return NULL;
History
Date User Action Args
2008-04-08 15:49:08jnfergusonsetspambayes_score: 0.0636864 -> 0.06368636
recipients: + jnferguson
2008-04-08 15:49:07jnfergusonsetspambayes_score: 0.0636864 -> 0.0636864
messageid: <1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
2008-04-08 15:49:04jnfergusonlinkissue2587 messages
2008-04-08 15:49:03jnfergusoncreate