diff options
| author | Martin Wilke <miwi@FreeBSD.org> | 2008-09-08 00:14:06 +0000 |
|---|---|---|
| committer | Martin Wilke <miwi@FreeBSD.org> | 2008-09-08 00:14:06 +0000 |
| commit | 8a1ff65b9b4abb36af6477b5c168037be07d4f71 (patch) | |
| tree | b9ac213a94e3a8e1c94343b9c5297f42639bc33e /lang/python27/files/patch-python_mysnprintf.c | |
| parent | - Update to 3.45 (diff) | |
- Security fixes
Multiple vulnerabilities:
1) Various integer overflow errors exist in core modules e.g. stringobject,
unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
2) An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
3) Integer overflow errors in the processing of unicode strings can be exploited to cause
buffer overflows on 32-bit systems.
4) An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not
have a "vsnprintf()" function.
5) An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings
can lead to memory corruption.
PR: 127172 (based on)
Submitted by: bf <bf2006a@yahoo.com>
Obtained from: python svn
Security: CVE-2008-2315, CVE-2008-2316, CVE-2008-3142, CVE-2008-3144, CVE-2008-3143. (vuxml come later)
Diffstat (limited to 'lang/python27/files/patch-python_mysnprintf.c')
| -rw-r--r-- | lang/python27/files/patch-python_mysnprintf.c | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/lang/python27/files/patch-python_mysnprintf.c b/lang/python27/files/patch-python_mysnprintf.c new file mode 100644 index 000000000000..276dd21a1b31 --- /dev/null +++ b/lang/python27/files/patch-python_mysnprintf.c @@ -0,0 +1,55 @@ +--- Python/mysnprintf.c.orig 2001-12-21 16:32:15.000000000 +0000 ++++ Python/mysnprintf.c 2008-08-30 10:46:31.000000000 +0100 +@@ -54,18 +54,28 @@ + PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) + { + int len; /* # bytes written, excluding \0 */ +-#ifndef HAVE_SNPRINTF ++#ifdef HAVE_SNPRINTF ++#define _PyOS_vsnprintf_EXTRA_SPACE 1 ++#else ++#define _PyOS_vsnprintf_EXTRA_SPACE 512 + char *buffer; + #endif + assert(str != NULL); + assert(size > 0); + assert(format != NULL); ++ /* We take a size_t as input but return an int. Sanity check ++ * our input so that it won't cause an overflow in the ++ * vsnprintf return value or the buffer malloc size. */ ++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { ++ len = -666; ++ goto Done; ++ } + + #ifdef HAVE_SNPRINTF + len = vsnprintf(str, size, format, va); + #else + /* Emulate it. */ +- buffer = PyMem_MALLOC(size + 512); ++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); + if (buffer == NULL) { + len = -666; + goto Done; +@@ -75,7 +85,7 @@ + if (len < 0) + /* ignore the error */; + +- else if ((size_t)len >= size + 512) ++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) + Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); + + else { +@@ -86,8 +96,10 @@ + str[to_copy] = '\0'; + } + PyMem_FREE(buffer); +-Done: + #endif +- str[size-1] = '\0'; ++Done: ++ if (size > 0) ++ str[size-1] = '\0'; + return len; ++#undef _PyOS_vsnprintf_EXTRA_SPACE + } |