Message 170373 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	christian.heimes, vstinner
Date	2012-09-12.12:36:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1347453422.44.0.810518034926.issue15930@psf.upfronthosting.co.za>
In-reply-to

Content
Coverity has found a buffer overrun in wcstombs_errorpos() defined at http://hg.python.org/cpython/file/25e41fdc4e60/Objects/unicodeobject.c#l3237 Message: CID 719672: Out-of-bounds access (OVERRUN)At (2): Overrunning array "buf" of 2 4-byte elements by passing it to a function which accesses it at element index 15 (byte offset 60) using argument "16UL". On a 64bit Linux system SIZE_OF_WCHAR_T is 4 and MB_LEN_MAX 16. In this constellation buf is 8 bytes long (wchar_t[2]) but outbuf has a size of 16 bytes. This causes a buffer overrun in wcstombs(outbuf, buf, sizeof(outbuf)).

Coverity has found a buffer overrun in wcstombs_errorpos() defined at 
http://hg.python.org/cpython/file/25e41fdc4e60/Objects/unicodeobject.c#l3237

Message:
CID 719672: Out-of-bounds access (OVERRUN)At (2): Overrunning array "buf" of 2 4-byte elements by passing it to a function which accesses it at element index 15 (byte offset 60) using argument "16UL". 

On a 64bit Linux system SIZE_OF_WCHAR_T is 4 and MB_LEN_MAX 16. In this constellation buf is 8 bytes long (wchar_t[2]) but outbuf has a size of 16 bytes. This causes a buffer overrun in wcstombs(outbuf, buf, sizeof(outbuf)).

History
Date	User	Action	Args
2012-09-12 12:37:02	christian.heimes	set	recipients: + christian.heimes, vstinner
2012-09-12 12:37:02	christian.heimes	set	messageid: <1347453422.44.0.810518034926.issue15930@psf.upfronthosting.co.za>
2012-09-12 12:36:41	christian.heimes	link	issue15930 messages
2012-09-12 12:36:40	christian.heimes	create