This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author foom
Recipients
Date 2004-12-01.23:11:18
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to
Content
Logged In: YES 
user_id=1104715

This appears to be because PyString_FromStringAndSize takes a signed int 
for size, doesn't verify that it is > 0, and then adds it to 
sizeof(PyStringObject):
    op = (PyStringObject *)PyObject_MALLOC(sizeof(PyStringObject) + 
size);

PyObject_MALLOC will fail if given a < 0 size, but, if size is > 
-sizeof(PyStringObject), the object will be allocated, but too small. Then, 
memory gets clobbered.

If it returned NULL like it should, posix_read's error handling would be 
fine.
History
Date User Action Args
2007-08-23 14:28:05adminlinkissue1077106 messages
2007-08-23 14:28:05admincreate