New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PyOS_vsnprintf() underflow leads to memory corruption #46840
Comments
The PyOS_vsnprintf() contains the caveat that the length parameter 53 int |
I think that programming errors against the python API are best checked Other thoughts? |
I can generally agree with that, and I admit I haven't verified all of In the other bug, I have verified code paths into it, for instance test |
As long as snprintf is used with a fixed size buffer using an idiom snprintf(buffer, sizeof(buffer), ..) there is no issue because sizeof(buffer) cannot be zero. AFAICT, this On the other hand, may this is a good opportunity to revisit the C99 defines snprintf semantics as follows: int snprintf(char *restrict s, size_t n,
const char *restrict format, ...); The snprintf() function shall be equivalent to sprintf(), with the <http://www.opengroup.org/onlinepubs/000095399/functions/printf.html\> |
I do agree with your point about snprintf(..., sizeof(x), ...)-- my While no one seems to ever use it this way, don't forget that a good |
On Tue, Apr 8, 2008 at 9:21 PM, Justin Ferguson <report@bugs.python.org> wrote:
Remember that PyOS_vsnprintf was introduced back in 2001 when |
Actually, I'm not sure things are any better today- even the same That said, theres plenty of other implementations that manage this |
On Wed, Apr 9, 2008 at 1:16 PM, Justin Ferguson <report@bugs.python.org> wrote:
Do you have in mind something like the following? =================================================================== --- Python/mysnprintf.c (revision 62211)
+++ Python/mysnprintf.c (working copy)
@@ -88,6 +88,7 @@
PyMem_FREE(buffer);
Done:
#endif
- str[size-1] = '\0';
+ if (size > 0)
+ str[size-1] = '\0';
return len;
} I would be +0 on such change. |
Yep, that works for me. |
Fixed in trunk r63734 using Alexander's suggested fix. I will backport this to release25-maint. |
Fixed in release25-maint r63883. |
Justin, is there any reproducer available for this issue? |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: