[issue15905] Copy to fixed size buffer w/o check in sys_update_path

Christian Heimes Mon, 10 Sep 2012 09:20:02 -0700

New submission from Christian Heimes:

In Python/sysmodule.c the function sys_update_path() uses wcscpy to copy data 
to a fixed size buffer. The input comes from an external source (argv[0]) and 
could theoretically be larger than the buffer.


Suggested solution:
Increase the buffer a bit:

    wchar_t argv0copy[sizeof(wchar_t)* (MAXPATHLEN+1)];

and use wcsncpy:

    wcsncpy(argv0copy, argv0, MAXPATHLEN);
    argv0copy[MAXPATHLEN] = L'\0';


CID 486850

----------
components: Interpreter Core
messages: 170200
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: Copy to fixed size buffer w/o check in sys_update_path
type: behavior
versions: Python 3.2, Python 3.3, Python 3.4

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue15905>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue15905] Copy to fixed size buffer w/o check in sys_update_path

Reply via email to