Trent Mick:

gvanrossum · gvanrossum · commit 106f2dae8687 · 2000-06-28T21:12:25.000Z
Various small fixes to the builtin module to ensure no buffer overflows. - chunk #1: Proper casting to ensure no truncation, and hence no surprises, in the comparison. - chunk #2: The id() function guarantees a unique return value for different objects. It does this by returning the pointer to the object. By returning a PyInt, on Win64 (sizeof(long) < sizeof(void*)) the pointer is truncated and the guarantee may be proven false. The appropriate return function is PyLong_FromVoidPtr, this returns a PyLong if that is necessary to return the pointer without truncation. [GvR: note that this means that id() can now return a long on Win32 platforms. This *might* break some code...] - chunk #3: Ensure no overflow in raw_input(). Granted the user would have to pass in >2GB of data but it *is* a possible buffer overflow condition.
diff --git a/Python/bltinmodule.c b/Python/bltinmodule.c
@@ -832,7 +832,7 @@ builtin_eval(self, args)
 		return NULL;
 	}
 	str = PyString_AsString(cmd);
-	if ((int)strlen(str) != PyString_Size(cmd)) {
+	if (strlen(str) != (size_t)PyString_Size(cmd)) {
 		PyErr_SetString(PyExc_ValueError,
 			   "embedded '\\0' in string arg");
 		return NULL;
@@ -985,7 +985,7 @@ builtin_id(self, args)
 
 	if (!PyArg_ParseTuple(args, "O:id", &v))
 		return NULL;
-	return PyInt_FromLong((long)v);
+	return PyLong_FromVoidPtr(v);
 }
 
 static char id_doc[] =
@@ -1873,7 +1873,14 @@ builtin_raw_input(self, args)
 			result = NULL;
 		}
 		else { /* strip trailing '\n' */
-			result = PyString_FromStringAndSize(s, strlen(s)-1);
+			size_t len = strlen(s);
+			if (len > INT_MAX) {
+				PyErr_SetString(PyExc_OverflowError, "input too long");
+				result = NULL;
+			}
+			else {
+				result = PyString_FromStringAndSize(s, (int)(len-1));
+			}
 		}
 		PyMem_FREE(s);
 		return result;
