Author jnferguson
Recipients jnferguson
Date 2008-04-08.15:55:08
SpamBayes Score 0.185971
Marked as misclassified No
Message-id <1207670110.11.0.605807538943.issue2588@psf.upfronthosting.co.za>
In-reply-to
Content
The PyOS_vsnprintf() contains the caveat that the length parameter
cannot be zero, however this is only enforced via assert() which is
compiled out. As a result if the length parameter is zero then the
function will underflow and write a null byte to invalid memory.

 53 int
 54 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 55 {
 56         int len;  /* # bytes written, excluding \0 */
 57 #ifndef HAVE_SNPRINTF
 58         char *buffer;
 59 #endif
 60         assert(str != NULL);
 61         assert(size > 0);
 62         assert(format != NULL);
 [...]
 65         len = vsnprintf(str, size, format, va);
 [...]
 91         str[size-1] = '\0';
 92         return len;
 93 }
History
Date User Action Args
2008-04-08 15:55:10jnfergusonsetspambayes_score: 0.185971 -> 0.185971
recipients: + jnferguson
2008-04-08 15:55:10jnfergusonsetspambayes_score: 0.185971 -> 0.185971
messageid: <1207670110.11.0.605807538943.issue2588@psf.upfronthosting.co.za>
2008-04-08 15:55:09jnfergusonlinkissue2588 messages
2008-04-08 15:55:08jnfergusoncreate