New submission from Christian Heimes:
In Python/sysmodule.c the function sys_update_path() uses wcscpy to copy data
to a fixed size buffer. The input comes from an external source (argv[0]) and
could theoretically be larger than the buffer.
Suggested solution:
Increase the buffer a bit:
wchar_t argv0copy[sizeof(wchar_t)* (MAXPATHLEN+1)];
and use wcsncpy:
wcsncpy(argv0copy, argv0, MAXPATHLEN);
argv0copy[MAXPATHLEN] = L'\0';
CID 486850
----------
components: Interpreter Core
messages: 170200
nosy: christian.heimes
priority: normal
severity: normal
stage: needs patch
status: open
title: Copy to fixed size buffer w/o check in sys_update_path
type: behavior
versions: Python 3.2, Python 3.3, Python 3.4
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue15905>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
