From 6c849697fd0085ea4415b7ef5bdef30e734092b2 Mon Sep 17 00:00:00 2001
From: Guido van Rossum <guido@python.org>
Date: Mon, 26 Sep 1994 15:47:17 +0000
Subject: Fix various potential buffer overrun problems.

---
 Python/import.c | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/Python/import.c b/Python/import.c
index f655041..2f782aa 100644
--- a/Python/import.c
+++ b/Python/import.c
@@ -167,8 +167,12 @@ extern char *getprogramname();
 
 #endif /* DYNAMIC_LINK */
 
-/* Magic word to reject .pyc files generated by other Python versions */
+/* Max length of module suffix searched for -- accommodates "module.so" */
+#ifndef MAXSUFFIXSIZE
+#define MAXSUFFIXSIZE 10
+#endif
 
+/* Magic word to reject .pyc files generated by other Python versions */
 #define MAGIC 0x999903L /* Increment by one for each incompatible change */
 
 static object *modules;
@@ -355,7 +359,7 @@ load_dynamic_module(name, namebuf, m, m_ret)
                         char buf[256];
                         if (verbose)
                                 perror(namebuf);
-                        sprintf(buf,"Failed to load %s", namebuf);
+                        sprintf(buf, "Failed to load %.200s", namebuf);
                         err_setstr(ImportError, buf);
                         return NULL;
                 }
@@ -396,7 +400,7 @@ get_module(m, name, m_ret)
 	char *name;
 	object **m_ret;
 {
-	int err, npath, i, len;
+	int err, npath, i, len, namelen;
 	long magic;
 	long mtime, pyc_mtime;
 	char namebuf[MAXPATHLEN+1];
@@ -413,16 +417,21 @@ get_module(m, name, m_ret)
 		return NULL;
 	}
 	npath = getlistsize(path);
+	namelen = strlen(name);
 	for (i = 0; i < npath; i++) {
 		v = getlistitem(path, i);
 		if (!is_stringobject(v))
 			continue;
-		strcpy(namebuf, getstringvalue(v));
 		len = getstringsize(v);
+		if (len + 1 + namelen + MAXSUFFIXSIZE >= MAXPATHLEN)
+			continue; /* Too long */
+		strcpy(namebuf, getstringvalue(v));
+		if (strlen(namebuf) != len)
+			continue; /* v contains '\0' */
 		if (len > 0 && namebuf[len-1] != SEP)
 			namebuf[len++] = SEP;
 		strcpy(namebuf+len, name);
-		len += strlen(name);
+		len += namelen;
 		for (fdp = filetab; fdp->suffix != NULL; fdp++) {
 			strcpy(namebuf+len, fdp->suffix);
 			if (verbose > 1)
@@ -435,7 +444,7 @@ get_module(m, name, m_ret)
 			break;
 	}
 	if (fp == NULL) {
-		sprintf(namebuf, "No module named %s", name);
+		sprintf(namebuf, "No module named %.200s", name);
 		err_setstr(ImportError, namebuf);
 		return NULL;
 	}
@@ -761,9 +770,9 @@ void aix_loaderror(char *namebuf)
 	};
 
 #define LOAD_ERRTAB_LEN	(sizeof(load_errtab)/sizeof(load_errtab[0]))
-#define ERRBUF_APPEND(s)	strncat(errbuf, s, sizeof(errbuf))
+#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)-strlen(errbuf)-1)
 
-	sprintf(errbuf, " from module %s ", namebuf);
+	sprintf(errbuf, " from module %.200s ", namebuf);
 
 	if (!loadquery(1, &message[0], sizeof(message))) 
 		ERRBUF_APPEND(strerror(errno));
@@ -777,7 +786,7 @@ void aix_loaderror(char *namebuf)
 		ERRBUF_APPEND(message[i]);
 		ERRBUF_APPEND("\n");
 	}
-	errbuf[strlen(errbuf)-1] = '\0' ;	/* trim off last newline */
+	errbuf[strlen(errbuf)-1] = '\0';	/* trim off last newline */
 	err_setstr(ImportError, errbuf); 
 	return; 
 }
-- 
cgit v0.12