Message 106538 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	belopolsky
Recipients	AmirHabibi, abbeyj, alexandre.vassalotti, belopolsky, brett.cannon, lemburg, pitrou, srid
Date	2010-05-26.15:51:04
SpamBayes Score	0.021940477
Marked as misclassified	No
Message-id	<1274889066.58.0.607584785519.issue6608@psf.upfronthosting.co.za>
In-reply-to

Content
The patch as written causes buffer overflow for year >= 10,000: >>> len(time.asctime( (10000, 1, 1, 0, 0, 0, 0, 1, -1))) 26 >>> len(time.asctime( (100000, 1, 1, 0, 0, 0, 0, 1, -1))) 27 while the buffer is only 26 characters: + static char result[26]; + + sprintf(result, "%.3s %.3s%3d %.2d:%.2d:%.2d %d\n", This can be fixed in multiple ways: changing the year format to %.4d, using PyString_Format, or restricting the year to 4 decimal digits in check_bounds. A nit pick: you can save some static storage by making wday_name and mon_name and possibly increase performance of asctime 2d arrays instead of arrays of pointers to null-terminated strings. See http://www.opengroup.org/onlinepubs/009695399/functions/asctime.html . Just as Martin, I am split on whether the patch is correct. The fact that it is almost a copy of POSIX reference implementation gives some confidence, but that confidence is taken away by the reference implementation having a buffer overflow bug. I am also not sure that all systems produce the same end of line character. I would like to hear from Windows experts.

The patch as written causes buffer overflow for year >= 10,000:

>>> len(time.asctime( (10000, 1, 1, 0, 0, 0, 0, 1, -1)))
26
>>> len(time.asctime( (100000, 1, 1, 0, 0, 0, 0, 1, -1)))
27

while the buffer is only 26 characters:

+       static char result[26];
+
+       sprintf(result, "%.3s %.3s%3d %.2d:%.2d:%.2d %d\n",

This can be fixed in multiple ways: changing the year format to %.4d, using PyString_Format, or restricting the year to 4 decimal digits in check_bounds.

A nit pick: you can save some static storage by making wday_name and mon_name and possibly increase performance of asctime 2d arrays instead of arrays of pointers to null-terminated strings.  See http://www.opengroup.org/onlinepubs/009695399/functions/asctime.html .

Just as Martin, I am split on whether the patch is correct.  The fact that it is almost a copy of POSIX reference implementation gives some confidence, but that confidence is taken away by the reference implementation having a buffer overflow bug.

I am also not sure that all systems produce the same end of line character.  I would like to hear from Windows experts.

History
Date	User	Action	Args
2010-05-26 15:51:06	belopolsky	set	recipients: + belopolsky, lemburg, brett.cannon, pitrou, alexandre.vassalotti, srid, abbeyj, AmirHabibi
2010-05-26 15:51:06	belopolsky	set	messageid: <1274889066.58.0.607584785519.issue6608@psf.upfronthosting.co.za>
2010-05-26 15:51:05	belopolsky	link	issue6608 messages
2010-05-26 15:51:04	belopolsky	create