New submission from Justin Ferguson <[EMAIL PROTECTED]>:
The PyString_FromStringAndSize() function takes a pointer and signed
integer as input parameters however it fails to adequately check the
sanity of the integer argument. Because of the failure to check for
negative values and because it sums the integer with the size of the
PyStringObject structure it becomes possible for the allocator to take
either of the code paths in PyObject_MALLOC()-- both of which will
incorrectly allocate memory.
This may not seem like a big deal, but I'm posting this instead of
filing a bug for every place this screws you guys over.
if (0 > len || len > PYSSIZE_T_MAX/sizeof(PyStringObject))
return NULL;
----------
components: Interpreter Core
messages: 65172
nosy: jnferguson
severity: normal
status: open
title: PyString_FromStringAndSize() to be considered unsane
type: security
versions: Python 2.5
__________________________________
Tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue2587>
__________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
