diff options
| author | Guido van Rossum <guido@python.org> | 1994-09-26 15:47:17 (GMT) |
|---|---|---|
| committer | Guido van Rossum <guido@python.org> | 1994-09-26 15:47:17 (GMT) |
| commit | 6c849697fd0085ea4415b7ef5bdef30e734092b2 (patch) | |
| tree | 9fbb73dd94b46970e99d9c21532a5aa961c2db36 | |
| parent | 138d72f64b640f25db2b1e7b480c3935e74cdd4a (diff) | |
| download | cpython-6c849697fd0085ea4415b7ef5bdef30e734092b2.zip cpython-6c849697fd0085ea4415b7ef5bdef30e734092b2.tar.gz cpython-6c849697fd0085ea4415b7ef5bdef30e734092b2.tar.bz2 | |
Fix various potential buffer overrun problems.
| -rw-r--r-- | Python/import.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/Python/import.c b/Python/import.c index f655041..2f782aa 100644 --- a/Python/import.c +++ b/Python/import.c @@ -167,8 +167,12 @@ extern char *getprogramname(); #endif /* DYNAMIC_LINK */ -/* Magic word to reject .pyc files generated by other Python versions */ +/* Max length of module suffix searched for -- accommodates "module.so" */ +#ifndef MAXSUFFIXSIZE +#define MAXSUFFIXSIZE 10 +#endif +/* Magic word to reject .pyc files generated by other Python versions */ #define MAGIC 0x999903L /* Increment by one for each incompatible change */ static object *modules; @@ -355,7 +359,7 @@ load_dynamic_module(name, namebuf, m, m_ret) char buf[256]; if (verbose) perror(namebuf); - sprintf(buf,"Failed to load %s", namebuf); + sprintf(buf, "Failed to load %.200s", namebuf); err_setstr(ImportError, buf); return NULL; } @@ -396,7 +400,7 @@ get_module(m, name, m_ret) char *name; object **m_ret; { - int err, npath, i, len; + int err, npath, i, len, namelen; long magic; long mtime, pyc_mtime; char namebuf[MAXPATHLEN+1]; @@ -413,16 +417,21 @@ get_module(m, name, m_ret) return NULL; } npath = getlistsize(path); + namelen = strlen(name); for (i = 0; i < npath; i++) { v = getlistitem(path, i); if (!is_stringobject(v)) continue; - strcpy(namebuf, getstringvalue(v)); len = getstringsize(v); + if (len + 1 + namelen + MAXSUFFIXSIZE >= MAXPATHLEN) + continue; /* Too long */ + strcpy(namebuf, getstringvalue(v)); + if (strlen(namebuf) != len) + continue; /* v contains '\0' */ if (len > 0 && namebuf[len-1] != SEP) namebuf[len++] = SEP; strcpy(namebuf+len, name); - len += strlen(name); + len += namelen; for (fdp = filetab; fdp->suffix != NULL; fdp++) { strcpy(namebuf+len, fdp->suffix); if (verbose > 1) @@ -435,7 +444,7 @@ get_module(m, name, m_ret) break; } if (fp == NULL) { - sprintf(namebuf, "No module named %s", name); + sprintf(namebuf, "No module named %.200s", name); err_setstr(ImportError, namebuf); return NULL; } @@ -761,9 +770,9 @@ void aix_loaderror(char *namebuf) }; #define LOAD_ERRTAB_LEN (sizeof(load_errtab)/sizeof(load_errtab[0])) -#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)) +#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)-strlen(errbuf)-1) - sprintf(errbuf, " from module %s ", namebuf); + sprintf(errbuf, " from module %.200s ", namebuf); if (!loadquery(1, &message[0], sizeof(message))) ERRBUF_APPEND(strerror(errno)); @@ -777,7 +786,7 @@ void aix_loaderror(char *namebuf) ERRBUF_APPEND(message[i]); ERRBUF_APPEND("\n"); } - errbuf[strlen(errbuf)-1] = '\0' ; /* trim off last newline */ + errbuf[strlen(errbuf)-1] = '\0'; /* trim off last newline */ err_setstr(ImportError, errbuf); return; } |