New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Uninitialized variable may be used in PyUnicode_DecodeUTF7Stateful() #49639
Comments
[Found by a Googler who prefers to remain anonymous] This might be easier to trigger on a 64-bit: PyObject *PyUnicode_DecodeUTF7Stateful(...)
{
...
Py_ssize_t startinpos;
...
while (s < e) {
...
utf7Error:
outpos = p-PyUnicode_AS_UNICODE(unicode);
endinpos = s-starts;
if (unicode_decode_call_errorhandler(
errors, &errorHandler,
"utf7", errmsg,
starts, size, &startinpos, &endinpos, &exc, &s,
&unicode, &outpos, &p))
...
}
...
} The lack of initialization of startinpos will lead to the likelihood of The other similar variable also probably need to be initialized. |
I can't see at the moment how the unicode_decode_call_errorhandler call |
Hmm, I know nothing about UTF7... Anyway, looking at the code, the utf7Error code path can be called from
So it seems things are fine, but perhaps I'm missing something. |
The UTF-7 codec implementation has a few problems (one of them is that bpo-4426 has a patch with cleaned up and more standards compliant |
It looks like it was fixed in 2.6 by adding an assignment to startinpos else if (SPECIAL(ch,0,0)) {
startinpos = s-starts; /* <---------- This was added */
errmsg = "unexpected special character";
s++;
goto utf7Error;
} Are we going to release another 2.5, ever? |
Only with security fixes IIRC. Letting Martin decide. |
Well, this one is technically a security fix, though I have no idea how |
I agree it is technically a security fix, so somebody please feel free |
OK, submitted. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: