New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
winreg:fixupMultiSZ should check that P < Q in the inner loop #53440
Comments
The comment before fixupMultiSZ and countString states: ** Note that fixupMultiSZ and countString have both had changes As indicated in the comments, the two functions dutifully check the supplied length parameter and do not trust the data to be in the correct format. ... except for the inner loop in fixupMultiSZ, which reads: for(; *P != '\0'; P++)
; It should be the same as the inner loop of countStrings:
|
@tim is this something that you can comment on? |
@Steve/Zach FYI. |
I've created a PR for this issue. |
There's still a potential problem when Reg2Py calls wcslen(str[index]). This could be addressed by having fixupMultiSZ take an int array to store the length of each string. For example: static void
fixupMultiSZ(wchar_t **strings, int *lengths, wchar_t *data, int len)
{
wchar_t *P, *Q = data + len;
int i;
for (P = data, i = 0; P < Q && *P; P++, i++) {
strings[i] = P;
lengths[i] = 0;
for (; P < Q && *P; P++) {
lengths[i]++;
}
}
} We'd have to allocate the lengths array in Reg2Py, like we do for the strings array. Also, we can remove the overflow error check prior to PyUnicode_FromWideChar. The longest possible length is |
Thanks Zackery! I've merged this main part of the fix (though it requires a manual backport to 2.7). As it's a buffer overrun, I've sent it back to 3.6 as well. Eryk - thanks for the additional detail. I wonder whether it would be just as easy to guarantee an over-allocation in this case and force a null terminator? (In fact, that would probably have handled the same case that Zackery just fixed, but we didn't have a patch ready for that approach) |
Declaring this done - Ned can take the backport to 3.6 if/when he feels like it. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: