summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Misc/NEWS3
-rw-r--r--Modules/getpath.c16
-rw-r--r--Python/sysmodule.c7
3 files changed, 19 insertions, 7 deletions
diff --git a/Misc/NEWS b/Misc/NEWS
index f5b56ef..26c6295 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -10,6 +10,9 @@ What's New in Python 3.4.0 Alpha 1?
Core and Builtins
-----------------
+- Issue #15905: Fix theoretical buffer overflow in handling of sys.argv[0],
+ prefix and exec_prefix if the operation system does not obey MAXPATHLEN.
+
- Issue #18408: Fix many various bugs in code handling errors, especially
on memory allocation failure (MemoryError).
diff --git a/Modules/getpath.c b/Modules/getpath.c
index 21dc854..1a43150 100644
--- a/Modules/getpath.c
+++ b/Modules/getpath.c
@@ -326,6 +326,7 @@ search_for_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_prefix)
if (home) {
wchar_t *delim;
wcsncpy(prefix, home, MAXPATHLEN);
+ prefix[MAXPATHLEN] = L'\0';
delim = wcschr(prefix, DELIM);
if (delim)
*delim = L'\0';
@@ -335,13 +336,15 @@ search_for_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_prefix)
}
/* Check to see if argv[0] is in the build directory */
- wcscpy(prefix, argv0_path);
+ wcsncpy(prefix, argv0_path, MAXPATHLEN);
+ prefix[MAXPATHLEN] = L'\0';
joinpath(prefix, L"Modules/Setup");
if (isfile(prefix)) {
/* Check VPATH to see if argv0_path is in the build directory. */
vpath = _Py_char2wchar(VPATH, NULL);
if (vpath != NULL) {
- wcscpy(prefix, argv0_path);
+ wcsncpy(prefix, argv0_path, MAXPATHLEN);
+ prefix[MAXPATHLEN] = L'\0';
joinpath(prefix, vpath);
PyMem_RawFree(vpath);
joinpath(prefix, L"Lib");
@@ -365,6 +368,7 @@ search_for_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_prefix)
/* Look at configure's PREFIX */
wcsncpy(prefix, _prefix, MAXPATHLEN);
+ prefix[MAXPATHLEN] = L'\0';
joinpath(prefix, lib_python);
joinpath(prefix, LANDMARK);
if (ismodule(prefix))
@@ -391,6 +395,7 @@ search_for_exec_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_exec_prefix
wcsncpy(exec_prefix, delim+1, MAXPATHLEN);
else
wcsncpy(exec_prefix, home, MAXPATHLEN);
+ exec_prefix[MAXPATHLEN] = L'\0';
joinpath(exec_prefix, lib_python);
joinpath(exec_prefix, L"lib-dynload");
return 1;
@@ -399,7 +404,8 @@ search_for_exec_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_exec_prefix
/* Check to see if argv[0] is in the build directory. "pybuilddir.txt"
is written by setup.py and contains the relative path to the location
of shared library modules. */
- wcscpy(exec_prefix, argv0_path);
+ wcsncpy(exec_prefix, argv0_path, MAXPATHLEN);
+ exec_prefix[MAXPATHLEN] = L'\0';
joinpath(exec_prefix, L"pybuilddir.txt");
if (isfile(exec_prefix)) {
FILE *f = _Py_wfopen(exec_prefix, L"rb");
@@ -420,7 +426,8 @@ search_for_exec_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_exec_prefix
Py_DECREF(decoded);
if (k >= 0) {
rel_builddir_path[k] = L'\0';
- wcscpy(exec_prefix, argv0_path);
+ wcsncpy(exec_prefix, argv0_path, MAXPATHLEN);
+ exec_prefix[MAXPATHLEN] = L'\0';
joinpath(exec_prefix, rel_builddir_path);
return -1;
}
@@ -442,6 +449,7 @@ search_for_exec_prefix(wchar_t *argv0_path, wchar_t *home, wchar_t *_exec_prefix
/* Look at configure's EXEC_PREFIX */
wcsncpy(exec_prefix, _exec_prefix, MAXPATHLEN);
+ exec_prefix[MAXPATHLEN] = L'\0';
joinpath(exec_prefix, lib_python);
joinpath(exec_prefix, L"lib-dynload");
if (isdir(exec_prefix))
diff --git a/Python/sysmodule.c b/Python/sysmodule.c
index 2680e6b..e14de49 100644
--- a/Python/sysmodule.c
+++ b/Python/sysmodule.c
@@ -1854,10 +1854,11 @@ sys_update_path(int argc, wchar_t **argv)
if (q == NULL)
argv0 = link; /* argv0 without path */
else {
- /* Must make a copy */
- wcscpy(argv0copy, argv0);
+ /* Must make a copy, argv0copy has room for 2 * MAXPATHLEN */
+ wcsncpy(argv0copy, argv0, MAXPATHLEN);
q = wcsrchr(argv0copy, SEP);
- wcscpy(q+1, link);
+ wcsncpy(q+1, link, MAXPATHLEN);
+ q[MAXPATHLEN + 1] = L'\0';
argv0 = argv0copy;
}
}