Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 6c84969

Browse files
gvanrossumgvanrossum
committed
Fix various potential buffer overrun problems.
1 parent 138d72f commit 6c84969

1 file changed

Lines changed: 18 additions & 9 deletions

File tree

Python/import.c

Lines changed: 18 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -167,8 +167,12 @@ extern char *getprogramname();
167167

168168
#endif /* DYNAMIC_LINK */
169169

170-
/* Magic word to reject .pyc files generated by other Python versions */
170+
/* Max length of module suffix searched for -- accommodates "module.so" */
171+
#ifndef MAXSUFFIXSIZE
172+
#define MAXSUFFIXSIZE 10
173+
#endif
171174

175+
/* Magic word to reject .pyc files generated by other Python versions */
172176
#define MAGIC 0x999903L /* Increment by one for each incompatible change */
173177

174178
static object *modules;
@@ -355,7 +359,7 @@ load_dynamic_module(name, namebuf, m, m_ret)
355359
char buf[256];
356360
if (verbose)
357361
perror(namebuf);
358-
sprintf(buf,"Failed to load %s", namebuf);
362+
sprintf(buf, "Failed to load %.200s", namebuf);
359363
err_setstr(ImportError, buf);
360364
return NULL;
361365
}
@@ -396,7 +400,7 @@ get_module(m, name, m_ret)
396400
char *name;
397401
object **m_ret;
398402
{
399-
int err, npath, i, len;
403+
int err, npath, i, len, namelen;
400404
long magic;
401405
long mtime, pyc_mtime;
402406
char namebuf[MAXPATHLEN+1];
@@ -413,16 +417,21 @@ get_module(m, name, m_ret)
413417
return NULL;
414418
}
415419
npath = getlistsize(path);
420+
namelen = strlen(name);
416421
for (i = 0; i < npath; i++) {
417422
v = getlistitem(path, i);
418423
if (!is_stringobject(v))
419424
continue;
420-
strcpy(namebuf, getstringvalue(v));
421425
len = getstringsize(v);
426+
if (len + 1 + namelen + MAXSUFFIXSIZE >= MAXPATHLEN)
427+
continue; /* Too long */
428+
strcpy(namebuf, getstringvalue(v));
429+
if (strlen(namebuf) != len)
430+
continue; /* v contains '\0' */
422431
if (len > 0 && namebuf[len-1] != SEP)
423432
namebuf[len++] = SEP;
424433
strcpy(namebuf+len, name);
425-
len += strlen(name);
434+
len += namelen;
426435
for (fdp = filetab; fdp->suffix != NULL; fdp++) {
427436
strcpy(namebuf+len, fdp->suffix);
428437
if (verbose > 1)
@@ -435,7 +444,7 @@ get_module(m, name, m_ret)
435444
break;
436445
}
437446
if (fp == NULL) {
438-
sprintf(namebuf, "No module named %s", name);
447+
sprintf(namebuf, "No module named %.200s", name);
439448
err_setstr(ImportError, namebuf);
440449
return NULL;
441450
}
@@ -761,9 +770,9 @@ void aix_loaderror(char *namebuf)
761770
};
762771

763772
#define LOAD_ERRTAB_LEN (sizeof(load_errtab)/sizeof(load_errtab[0]))
764-
#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf))
773+
#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)-strlen(errbuf)-1)
765774

766-
sprintf(errbuf, " from module %s ", namebuf);
775+
sprintf(errbuf, " from module %.200s ", namebuf);
767776

768777
if (!loadquery(1, &message[0], sizeof(message)))
769778
ERRBUF_APPEND(strerror(errno));
@@ -777,7 +786,7 @@ void aix_loaderror(char *namebuf)
777786
ERRBUF_APPEND(message[i]);
778787
ERRBUF_APPEND("\n");
779788
}
780-
errbuf[strlen(errbuf)-1] = '\0' ; /* trim off last newline */
789+
errbuf[strlen(errbuf)-1] = '\0'; /* trim off last newline */
781790
err_setstr(ImportError, errbuf);
782791
return;
783792
}

0 commit comments

Comments
 (0)