Author jnferguson
Recipients jnferguson
Date 2008-04-08.15:49:03
SpamBayes Score 0.0636864
Marked as misclassified No
Message-id <1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
In-reply-to
Content
The PyString_FromStringAndSize() function takes a pointer and signed
integer as input parameters however it fails to adequately check the
sanity of the integer argument. Because of the failure to check for
negative values and because it sums the integer with the size of the
PyStringObject structure it becomes possible for the allocator to take
either of the code paths in PyObject_MALLOC()-- both of which will
incorrectly allocate memory.

This may not seem like a big deal, but I'm posting this instead of
filing a bug for every place this screws you guys over.

if (0 > len || len > PYSSIZE_T_MAX/sizeof(PyStringObject)) 
        return NULL;
History
Date User Action Args
2008-04-08 15:49:08jnfergusonsetspambayes_score: 0.0636864 -> 0.0636864
recipients: + jnferguson
2008-04-08 15:49:07jnfergusonsetspambayes_score: 0.0636864 -> 0.0636864
messageid: <1207669747.73.0.910333357226.issue2587@psf.upfronthosting.co.za>
2008-04-08 15:49:04jnfergusonlinkissue2587 messages
2008-04-08 15:49:03jnfergusoncreate