Message23511
Logged In: YES
user_id=1104715
This appears to be because PyString_FromStringAndSize takes a signed int
for size, doesn't verify that it is > 0, and then adds it to
sizeof(PyStringObject):
op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) +
size);
PyObject_MALLOC will fail if given a < 0 size, but, if size is >
-sizeof(PyStringObject), the object will be allocated, but too small. Then,
memory gets clobbered.
If it returned NULL like it should, posix_read's error handling would be
fine.
|
|
Date |
User |
Action |
Args |
2007-08-23 14:28:05 | admin | link | issue1077106 messages |
2007-08-23 14:28:05 | admin | create | |
|