Trent Mick <trentm@activestate.com>:

This patch fixes possible overflow in the use of
PyOS_GetLastModificationTime in getmtime.c and Python/import.c.

Currently PyOS_GetLastModificationTime returns a C long. This can
overflow on Win64 where sizeof(time_t) > sizeof(long). Besides it
should logically return a time_t anyway (this patch changes this).

As well, import.c uses PyOS_GetLastModificationTime for .pyc
timestamping.  There has been recent discussion about the .pyc header
format on python-dev.  This patch adds oveflow checking to import.c so
that an exception will be raised if the modification time
overflows. There are a few other minor 64-bit readiness changes made
to the module as well:

- size_t instead of int or long for function-local buffer and string
length variables

- one buffer overflow check was added (raises an exception on possible
overflow, this overflow chance exists on 32-bit platforms as well), no
other possible buffer overflows existed (from my analysis anyway)

Closes SourceForge patch #100509.

2 files changed, 33 insertions, 14 deletions

diff --git a/Python/getmtime.c b/Python/getmtime.c
index 4bf2adf..aea6909 100644
--- a/Python/getmtime.c
+++ b/Python/getmtime.c
@@ -33,13 +33,14 @@ PERFORMANCE OF THIS SOFTWARE.
 
 /* (A separate file because this may be OS dependent) */
 
+#include "Python.h"
 #include "config.h"
 
 #include <stdio.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 
-long
+time_t
 PyOS_GetLastModificationTime(path, fp)
 	char *path;
 	FILE *fp;
diff --git a/Python/import.c b/Python/import.c
index a23b71b..ede6cb6 100644
--- a/Python/import.c
+++ b/Python/import.c
@@ -74,7 +74,7 @@ PERFORMANCE OF THIS SOFTWARE.
 #endif
 
 
-extern long PyOS_GetLastModificationTime(); /* In getmtime.c */
+extern time_t PyOS_GetLastModificationTime(); /* In getmtime.c */
 
 /* Magic word to reject .pyc files generated by other Python versions */
 /* Change for each incompatible change */
@@ -549,9 +549,9 @@ static char *
 make_compiled_pathname(pathname, buf, buflen)
 	char *pathname;
 	char *buf;
-	int buflen;
+	size_t buflen;
 {
-	int len;
+	size_t len;
 
 	len = strlen(pathname);
 	if (len+2 > buflen)
@@ -732,7 +732,7 @@ load_source_module(name, pathname, fp)
 	char *pathname;
 	FILE *fp;
 {
-	long mtime;
+	time_t mtime;
 	FILE *fpc;
 	char buf[MAXPATHLEN+1];
 	char *cpathname;
@@ -740,7 +740,20 @@ load_source_module(name, pathname, fp)
 	PyObject *m;
 
 	mtime = PyOS_GetLastModificationTime(pathname, fp);
-	cpathname = make_compiled_pathname(pathname, buf, MAXPATHLEN+1);
+	if (mtime == -1)
+		return NULL;
+#if SIZEOF_TIME_T > 4
+	/* Python's .pyc timestamp handling presumes that the timestamp fits
+	   in 4 bytes. This will be fine until sometime in the year 2038,
+	   when a 4-byte signed time_t will overflow.
+	 */
+	if (mtime >> 32) {
+		PyErr_SetString(PyExc_OverflowError,
+			"modification time overflows a 4 bytes");
+		return NULL;
+	}
+#endif
+	cpathname = make_compiled_pathname(pathname, buf, (size_t)MAXPATHLEN+1);
 	if (cpathname != NULL &&
 	    (fpc = check_compiled_module(pathname, mtime, cpathname))) {
 		co = read_compiled_module(cpathname, fpc);
@@ -771,7 +784,7 @@ load_source_module(name, pathname, fp)
 /* Forward */
 static PyObject *load_module Py_PROTO((char *, FILE *, char *, int));
 static struct filedescr *find_module Py_PROTO((char *, PyObject *,
-					       char *, int, FILE **));
+					       char *, size_t, FILE **));
 static struct _frozen *find_frozen Py_PROTO((char *name));
 
 /* Load a package and return its module object WITH INCREMENTED
@@ -869,10 +882,11 @@ find_module(realname, path, buf, buflen, p_fp)
 	PyObject *path;
 	/* Output parameters: */
 	char *buf;
-	int buflen;
+	size_t buflen;
 	FILE **p_fp;
 {
-	int i, npath, len, namelen;
+	int i, npath;
+	size_t len, namelen;
 	struct _frozen *f;
 	struct filedescr *fdp = NULL;
 	FILE *fp = NULL;
@@ -882,6 +896,10 @@ find_module(realname, path, buf, buflen, p_fp)
 	static struct filedescr fd_package = {"", "", PKG_DIRECTORY};
 	char name[MAXPATHLEN+1];
 
+	if (strlen(realname) > MAXPATHLEN) {
+		PyErr_SetString(PyExc_OverflowError, "module name is too long");
+		return NULL;
+	}
 	strcpy(name, realname);
 
 	if (path != NULL && PyString_Check(path)) {
@@ -933,7 +951,7 @@ find_module(realname, path, buf, buflen, p_fp)
 		if (len + 2 + namelen + MAXSUFFIXSIZE >= buflen)
 			continue; /* Too long */
 		strcpy(buf, PyString_AsString(v));
-		if ((int)strlen(buf) != len)
+		if (strlen(buf) != len)
 			continue; /* v contains '\0' */
 #ifdef macintosh
 #ifdef INTERN_STRINGS
@@ -1181,8 +1199,8 @@ static int
 find_init_module(buf)
 	char *buf;
 {
-	int save_len = strlen(buf);
-	int i = save_len;
+	size_t save_len = strlen(buf);
+	size_t i = save_len;
 	struct stat statbuf;
 
 	if (save_len + 13 >= MAXPATHLEN)
@@ -1577,7 +1595,7 @@ get_parent(globals, buf, p_buflen)
 	else {
 		char *start = PyString_AS_STRING(modname);
 		char *lastdot = strrchr(start, '.');
-		int len;
+		size_t len;
 		if (lastdot == NULL)
 			return Py_None;
 		len = lastdot - start;
@@ -1612,7 +1630,7 @@ load_next(mod, altmod, p_name, buf, p_buflen)
 {
 	char *name = *p_name;
 	char *dot = strchr(name, '.');
-	int len;
+	size_t len;
 	char *p;
 	PyObject *result;