New submission from Alexander Riccio:
I found this while writing up a separate bug (CPython doesn't use static
analysis!).
In modules/posixmodule.c, win32_wchdir uses Py_ARRAY_LENGTH on a wchar_t*:
wchar_t _new_path[MAX_PATH], *new_path = _new_path;
int result;
wchar_t env[4] = L"=x:";
if(!SetCurrentDirectoryW(path))
return FALSE;
result = GetCurrentDirectoryW(Py_ARRAY_LENGTH(new_path), new_path);
...instead of using Py_ARRAY_LENGTH(_new_path), the programmer wrote
Py_ARRAY_LENGTH(new_path), doesn't work on pointers:
/* Get the number of elements in a visible array
This does not work on pointers, or arrays declared as [], or function
parameters. With correct compiler support, such usage will cause a build
error (see Py_BUILD_ASSERT_EXPR).
Written by Rusty Russell, public domain, http://ccodearchive.net/
*/
#define Py_ARRAY_LENGTH(array) \
(sizeof(array) / sizeof((array)[0]))
The same issue occurs two lines later:
if (result > Py_ARRAY_LENGTH(new_path)) {
Compiling with /analyze found this quite easily:
c:\pythondev\repo\modules\posixmodule.c(1354): warning C6384: Dividing sizeof a
pointer by another value.
----------
components: Windows
messages: 256260
nosy: Alexander Riccio, larry, paul.moore, steve.dower, tim.golden, zach.ware
priority: normal
severity: normal
status: open
title: Use of Py_ARRAY_LENGTH on pointer in posixmodule.c, win32_wchdir
_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue25846>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
