* Python/traceback.c: security fix -- check for buffer oveflow

before concatenating sys.path item and module name
author: Guido van Rossum <guido@python.org> 1994-09-29 09:38:04 (GMT)
committer: Guido van Rossum <guido@python.org> 1994-09-29 09:38:04 (GMT)
commit: bfd5d755a0edd12a8249fd690fd93b090829bf6c (patch)
tree: ec032bb9f7f2404a7de2e0c50205f9df02a16f10 /Python
parent: 03093a248d4ef3af23a5906dea276c01e0c1ae2c (diff)
download: cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.zip
cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.tar.gz
cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.tar.bz2
1 files changed, 6 insertions, 1 deletions
diff --git a/Python/traceback.c b/Python/traceback.c
index ea8fa7d..1db9c94 100644
--- a/Python/traceback.c
+++ b/Python/traceback.c
@@ -178,13 +178,18 @@ tb_displayline(f, filename, lineno, name)
 		path = sysget("path");
 		if (path != NULL && is_listobject(path)) {
 			int npath = getlistsize(path);
+			int taillen = strlen(tail);
 			char namebuf[MAXPATHLEN+1];
 			for (i = 0; i < npath; i++) {
 				object *v = getlistitem(path, i);
 				if (is_stringobject(v)) {
 					int len;
-					strcpy(namebuf, getstringvalue(v));
 					len = getstringsize(v);
+					if (len + 1 + taillen >= MAXPATHLEN)
+						continue; /* Too long */
+					strcpy(namebuf, getstringvalue(v));
+					if (strlen(namebuf) != len)
+						continue; /* v contains '\0' */
 					if (len > 0 && namebuf[len-1] != SEP)
 						namebuf[len++] = SEP;
 					strcpy(namebuf+len, tail);
author	Guido van Rossum <guido@python.org>	1994-09-29 09:38:04 (GMT)
committer	Guido van Rossum <guido@python.org>	1994-09-29 09:38:04 (GMT)
commit	bfd5d755a0edd12a8249fd690fd93b090829bf6c (patch)
tree	ec032bb9f7f2404a7de2e0c50205f9df02a16f10 /Python
parent	03093a248d4ef3af23a5906dea276c01e0c1ae2c (diff)
download	cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.zip cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.tar.gz cpython-bfd5d755a0edd12a8249fd690fd93b090829bf6c.tar.bz2