Public bug reported:
Binary package hint: python2.5
Ubuntu 8.04, python 2.5.2-0ubuntu1, python2.5 2.5.2-2ubuntu4.
Python/pythonrun.c's PyRun_SimpleFileExFlags() assumes the filename's extension
starts four characters back from the end. But what if the filename is only one
character long? Memory before the filename is referenced which is probably
outside the memory allocated for the string. Here's the relevant bits of code,
boring lines deleted.
int
PyRun_SimpleFileExFlags(FILE *fp, const char *filename, int closeit,
PyCompilerFlags *flags)
{
ext = filename + strlen(filename) - 4;
if (maybe_pyc_file(fp, filename, ext, closeit)) {
if (strcmp(ext, ".pyo") == 0)
Py_OptimizeFlag = 1;
}
static int
maybe_pyc_file(FILE *fp, const char* filename, const char* ext, int closeit)
{
if (strcmp(ext, ".pyc") == 0 || strcmp(ext, ".pyo") == 0)
return 1;
}
A trivial solution is:
len = strlen(filename);
ext = filename + len - len > 4 ? 4 : 0;
This will make ext point to the NUL terminator unless filename has room
for the desired /\.py[co]$/ suffix *and* at least one character
beforehand, since I don't suppose it's intended that ".pyo" is a valid
pyo file.
** Affects: python2.5 (Ubuntu)
Importance: Undecided
Status: New
--
python accesses memory before short string when checking suffix
https://bugs.launchpad.net/bugs/234798
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
