mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-11-01 18:51:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 21

Fixes for possible buffer overflows in sprintf() usages.

Browse source
This commit is contained in:
Marc-André Lemburg 2001-11-28 11:47:00 +00:00
parent 5107b4cf5f
commit d4c0a9c59b
8 changed files with 17 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Modules/_testcapimodule.c
View file

@ -36,7 +36,7 @@ sizeof_error(const char* fatname, const char* typename,
int expected, int got) int expected, int got)
{ {
char buf[1024]; char buf[1024];
sprintf(buf, "%s #define == %d but sizeof(%s) == %d", sprintf(buf, "%.200s #define == %d but sizeof(%.200s) == %d",
fatname, expected, typename, got); fatname, expected, typename, got);
PyErr_SetString(TestError, buf); PyErr_SetString(TestError, buf);
return (PyObject*)NULL; return (PyObject*)NULL;

2
Modules/posixmodule.c
View file

@ -5787,7 +5787,7 @@ static int insertvalues(PyObject *d)
APIRET rc; APIRET rc;
ULONG values[QSV_MAX+1]; ULONG values[QSV_MAX+1];
PyObject *v; PyObject *v;
char *ver, tmp[10]; char *ver, tmp[50];
Py_BEGIN_ALLOW_THREADS Py_BEGIN_ALLOW_THREADS
rc = DosQuerySysInfo(1, QSV_MAX, &values[1], sizeof(values)); rc = DosQuerySysInfo(1, QSV_MAX, &values[1], sizeof(values));

4
Modules/readline.c
View file

@ -165,7 +165,7 @@ set_hook(const char * funcname, PyObject **hook_var, PyThreadState **tstate, PyO
{ {
PyObject *function = Py_None; PyObject *function = Py_None;
char buf[80]; char buf[80];
sprintf(buf, "|O:set_%s", funcname); sprintf(buf, "|O:set_%.50s", funcname);
if (!PyArg_ParseTuple(args, buf, &function)) if (!PyArg_ParseTuple(args, buf, &function))
return NULL; return NULL;
if (function == Py_None) { if (function == Py_None) {
@ -181,7 +181,7 @@ set_hook(const char * funcname, PyObject **hook_var, PyThreadState **tstate, PyO
*tstate = PyThreadState_Get(); *tstate = PyThreadState_Get();
} }
else { else {
sprintf(buf, "set_%s(func): argument not callable", funcname); sprintf(buf, "set_%.50s(func): argument not callable", funcname);
PyErr_SetString(PyExc_TypeError, buf); PyErr_SetString(PyExc_TypeError, buf);
return NULL; return NULL;
} }

2
Objects/weakrefobject.c
View file

@ -135,7 +135,7 @@ weakref_repr(PyWeakReference *self)
(long)(self)); (long)(self));
} }
else { else {
sprintf(buffer, "<weakref at %#lx; to '%s' at %#lx>", sprintf(buffer, "<weakref at %#lx; to '%.50s' at %#lx>",
(long)(self), PyWeakref_GET_OBJECT(self)->ob_type->tp_name, (long)(self), PyWeakref_GET_OBJECT(self)->ob_type->tp_name,
(long)(PyWeakref_GET_OBJECT(self))); (long)(PyWeakref_GET_OBJECT(self)));
} }

2
Python/compile.c
View file

@ -4195,7 +4195,7 @@ get_ref_type(struct compiling *c, char *name)
return GLOBAL_IMPLICIT; return GLOBAL_IMPLICIT;
} }
} }
sprintf(buf, PyOS_snprintf(buf, sizeof(buf),
"unknown scope for %.100s in %.100s(%s) " "unknown scope for %.100s in %.100s(%s) "
"in %s\nsymbols: %s\nlocals: %s\nglobals: %s\n", "in %s\nsymbols: %s\nlocals: %s\nglobals: %s\n",
name, c->c_name, name, c->c_name,

2
Python/dynload_os2.c
View file

@ -32,7 +32,7 @@ dl_funcptr _PyImport_GetDynLoadFunc(const char *fqname, const char *shortname,
if (rc != NO_ERROR) { if (rc != NO_ERROR) {
char errBuf[256]; char errBuf[256];
sprintf(errBuf, sprintf(errBuf,
"DLL load failed, rc = %d: %s", "DLL load failed, rc = %d: %.200s",
rc, failreason); rc, failreason);
PyErr_SetString(PyExc_ImportError, errBuf); PyErr_SetString(PyExc_ImportError, errBuf);
return NULL; return NULL;

2
Python/dynload_win.c
View file

@ -232,7 +232,7 @@ dl_funcptr _PyImport_GetDynLoadFunc(const char *fqname, const char *shortname,
if (import_python && if (import_python &&
strcasecmp(buffer,import_python)) { strcasecmp(buffer,import_python)) {
sprintf(buffer, sprintf(buffer,
"Module use of %s conflicts " "Module use of %.150s conflicts "
"with this version of Python.", "with this version of Python.",
import_python); import_python);
PyErr_SetString(PyExc_ImportError,buffer); PyErr_SetString(PyExc_ImportError,buffer);

23
Python/getargs.c
View file

@ -1,11 +1,6 @@
/* New getargs implementation */ /* New getargs implementation */
/* XXX There are several unchecked sprintf or strcat calls in this file.
XXX The only way these can become a danger is if some C code in the
XXX Python source (or in an extension) uses ridiculously long names
XXX or ridiculously deep nesting in format strings. */
#include "Python.h" #include "Python.h"
#include <ctype.h> #include <ctype.h>
@ -140,7 +135,7 @@ vgetargs1(PyObject *args, char *format, va_list *p_va, int compat)
if (max == 0) { if (max == 0) {
if (args == NULL) if (args == NULL)
return 1; return 1;
sprintf(msgbuf, "%s%s takes no arguments", sprintf(msgbuf, "%.200s%s takes no arguments",
fname==NULL ? "function" : fname, fname==NULL ? "function" : fname,
fname==NULL ? "" : "()"); fname==NULL ? "" : "()");
PyErr_SetString(PyExc_TypeError, msgbuf); PyErr_SetString(PyExc_TypeError, msgbuf);
@ -149,7 +144,7 @@ vgetargs1(PyObject *args, char *format, va_list *p_va, int compat)
else if (min == 1 && max == 1) { else if (min == 1 && max == 1) {
if (args == NULL) { if (args == NULL) {
sprintf(msgbuf, sprintf(msgbuf,
"%s%s takes at least one argument", "%.200s%s takes at least one argument",
fname==NULL ? "function" : fname, fname==NULL ? "function" : fname,
fname==NULL ? "" : "()"); fname==NULL ? "" : "()");
PyErr_SetString(PyExc_TypeError, msgbuf); PyErr_SetString(PyExc_TypeError, msgbuf);
@ -179,7 +174,7 @@ vgetargs1(PyObject *args, char *format, va_list *p_va, int compat)
if (len < min || max < len) { if (len < min || max < len) {
if (message == NULL) { if (message == NULL) {
sprintf(msgbuf, sprintf(msgbuf,
"%s%s takes %s %d argument%s (%d given)", "%.150s%s takes %s %d argument%s (%d given)",
fname==NULL ? "function" : fname, fname==NULL ? "function" : fname,
fname==NULL ? "" : "()", fname==NULL ? "" : "()",
min==max ? "exactly" min==max ? "exactly"
@ -220,7 +215,7 @@ vgetargs1(PyObject *args, char *format, va_list *p_va, int compat)
static void static void
seterror(int iarg, char *msg, int *levels, char *fname, char *message) seterror(int iarg, char *msg, int *levels, char *fname, char *message)
{ {
char buf[256]; char buf[512];
int i; int i;
char *p = buf; char *p = buf;
@ -228,14 +223,14 @@ seterror(int iarg, char *msg, int *levels, char *fname, char *message)
return; return;
else if (message == NULL) { else if (message == NULL) {
if (fname != NULL) { if (fname != NULL) {
sprintf(p, "%s() ", fname); sprintf(p, "%.200s() ", fname);
p += strlen(p); p += strlen(p);
} }
if (iarg != 0) { if (iarg != 0) {
sprintf(p, "argument %d", iarg); sprintf(p, "argument %d", iarg);
i = 0; i = 0;
p += strlen(p); p += strlen(p);
while (levels[i] > 0) { while (levels[i] > 0 && (int)(p-buf) < 220) {
sprintf(p, ", item %d", levels[i]-1); sprintf(p, ", item %d", levels[i]-1);
p += strlen(p); p += strlen(p);
i++; i++;
@ -245,7 +240,7 @@ seterror(int iarg, char *msg, int *levels, char *fname, char *message)
sprintf(p, "argument"); sprintf(p, "argument");
p += strlen(p); p += strlen(p);
} }
sprintf(p, " %s", msg); sprintf(p, " %.256s", msg);
message = buf; message = buf;
} }
PyErr_SetString(PyExc_TypeError, message); PyErr_SetString(PyExc_TypeError, message);
@ -300,8 +295,8 @@ converttuple(PyObject *arg, char **p_format, va_list *p_va, int *levels,
if (!PySequence_Check(arg) || PyString_Check(arg)) { if (!PySequence_Check(arg) || PyString_Check(arg)) {
levels[0] = 0; levels[0] = 0;
sprintf(msgbuf, sprintf(msgbuf,
toplevel ? "expected %d arguments, not %s" : toplevel ? "expected %d arguments, not %.50s" :
"must be %d-item sequence, not %s", "must be %d-item sequence, not %.50s",
n, arg == Py_None ? "None" : arg->ob_type->tp_name); n, arg == Py_None ? "None" : arg->ob_type->tp_name);
return msgbuf; return msgbuf;
} }