[3.5] bpo-33001: Prevent buffer overrun in os.symlink (GH-5989) (#5991)

* bpo-33001: Minimal fix to prevent buffer overrun in os.symlink * Remove invalid test
author: Steve Dower <steve.dower@microsoft.com> 2018-05-14 18:03:17 (GMT)
committer: larryhastings <larry@hastings.org> 2018-05-14 18:03:17 (GMT)
commit: f381cfe07d15d52f27de771a62a8167668f0dd51 (patch)
tree: c7726fb78429f1f20dbdd6c3997390adf0b76deb /Lib/test/test_os.py
parent: 937ac1fe069a4dc8471dff205f553d82e724015b (diff)
download: cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.zip
cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.tar.gz
cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.tar.bz2
1 files changed, 40 insertions, 0 deletions
diff --git a/Lib/test/test_os.py b/Lib/test/test_os.py
index bb5d2e3..e207738 100644
--- a/Lib/test/test_os.py
+++ b/Lib/test/test_os.py
@@ -2117,6 +2117,46 @@ class Win32SymlinkTests(unittest.TestCase):
             os.remove(file1)
             shutil.rmtree(level1)
 
+    def test_buffer_overflow(self):
+        # Older versions would have a buffer overflow when detecting
+        # whether a link source was a directory. This test ensures we
+        # no longer crash, but does not otherwise validate the behavior
+        segment = 'X' * 27
+        path = os.path.join(*[segment] * 10)
+        test_cases = [
+            # overflow with absolute src
+            ('\\' + path, segment),
+            # overflow dest with relative src
+            (segment, path),
+            # overflow when joining src
+            (path[:180], path[:180]),
+        ]
+        for src, dest in test_cases:
+            try:
+                os.symlink(src, dest)
+            except FileNotFoundError:
+                pass
+            else:
+                try:
+                    os.remove(dest)
+                except OSError:
+                    pass
+            # Also test with bytes, since that is a separate code path.
+            # However, because of the stack layout, it is not possible
+            # to exploit the overflow on Python 3.5 using bytes
+            try:
+                os.symlink(os.fsencode(src), os.fsencode(dest))
+            except ValueError:
+                # Conversion function checks for len(arg) >= 260
+                pass
+            except FileNotFoundError:
+                pass
+            else:
+                try:
+                    os.remove(dest)
+                except OSError:
+                    pass
+
 
 @unittest.skipUnless(sys.platform == "win32", "Win32 specific tests")
 class Win32JunctionTests(unittest.TestCase):
author	Steve Dower <steve.dower@microsoft.com>	2018-05-14 18:03:17 (GMT)
committer	larryhastings <larry@hastings.org>	2018-05-14 18:03:17 (GMT)
commit	f381cfe07d15d52f27de771a62a8167668f0dd51 (patch)
tree	c7726fb78429f1f20dbdd6c3997390adf0b76deb /Lib/test/test_os.py
parent	937ac1fe069a4dc8471dff205f553d82e724015b (diff)
download	cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.zip cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.tar.gz cpython-f381cfe07d15d52f27de771a62a8167668f0dd51.tar.bz2