https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=286439
--- Comment #1 from Don Lewis <[email protected]> --- This is the patched version of python/libxml.c: static void libxml_xmlErrorFuncHandler(ATTRIBUTE_UNUSED void *ctx, const char *msg, ...) { va_list ap; PyObject *list; PyObject *message; PyObject *result; char str[1000]; unsigned char *ptr = (unsigned char *)str; #ifdef DEBUG_ERROR printf("libxml_xmlErrorFuncHandler(%p, %s, ...) called\n", ctx, msg); #endif #if PY_MAJOR_VERSION >= 3 /* Ensure the error string doesn't start at UTF8 continuation. */ while (*ptr && (*ptr & 0xc0) == 0x80) ptr++; #endif The problem is that at this point, buf[] is still uninitialized and just contains stack garbage. If it doesn't contain any NUL bytes, the loop can walk ptr off the end of the array. Even if this doesn't happen, when ptr is used later, it will have a nonsense value. -- You are receiving this mail because: You are on the CC list for the bug.
