New submission from Alexander Riccio:
I found this while writing up a separate bug (CPython doesn't use static
analysis!).
In PC/launcher.c, get_env has a bug:
/* Large environment variable. Accept some leakage */
wchar_t *buf2 = (wchar_t*)malloc(sizeof(wchar_t) * (result+1));
if (buf2 = NULL) {
error(RC_NO_MEMORY, L"Could not allocate environment buffer");
}
GetEnvironmentVariableW(key, buf2, result);
return buf2;
See: https://hg.python.org/cpython/file/tip/PC/launcher.c#l117
Instead of `buf2 == NULL`, Vinay Sajip wrote `buf2 = NULL`. The commit where
the error was introduced: https://hg.python.org/cpython/rev/4123e002a1af
Thus, whatever value was in buf2 is lost, the branch is NOT taken (because buf2
evaluates to false), and GetEnvironmentVariableW will (probably) cause an
access violation.
Compiling with /analyze found this quite easily:
c:\pythondev\repo\pc\launcher.c(117): warning C6282: Incorrect operator:
assignment of constant in Boolean context. Consider using '==' instead.
----------
components: Windows
messages: 256254
nosy: Alexander Riccio, paul.moore, steve.dower, tim.golden, vinay.sajip,
zach.ware
priority: normal
severity: normal
status: open
title: Pylauncher, launcher.c: Assigning NULL to a pointer instead of testing
against NULL
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue25844>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
