]> granicus.if.org Git - python/commitdiff
projects / python / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7388f73)
Trent Mick:
authorGuido van Rossum <guido@python.org>
Wed, 28 Jun 2000 21:12:25 +0000 (21:12 +0000)
committerGuido van Rossum <guido@python.org>
Wed, 28 Jun 2000 21:12:25 +0000 (21:12 +0000)
Various small fixes to the builtin module to ensure no buffer
overflows.

- chunk #1:
Proper casting to ensure no truncation, and hence no surprises, in the
comparison.

- chunk #2:
The id() function guarantees a unique return value for different
objects.  It does this by returning the pointer to the object. By
returning a PyInt, on Win64 (sizeof(long) < sizeof(void*)) the pointer
is truncated and the guarantee may be proven false. The appropriate
return function is PyLong_FromVoidPtr, this returns a PyLong if that
is necessary to return the pointer without truncation.

[GvR: note that this means that id() can now return a long on Win32
platforms.  This *might* break some code...]

- chunk #3:
Ensure no overflow in raw_input(). Granted the user would have to pass
in >2GB of data but it *is* a possible buffer overflow condition.

Python/bltinmodule.c patch | blob | history

diff --git a/Python/bltinmodule.c b/Python/bltinmodule.c
index 6d2a0fcde0e1ea4bc8b97a3a3b9a638e2de6c210..bcde319f21bf40ac4d3d21ad3366ff741b32527a 100644 (file)
--- a/Python/bltinmodule.c
+++ b/Python/bltinmodule.c
@@ -832,7 +832,7 @@ builtin_eval(self, args)
                return NULL;
        }
        str = PyString_AsString(cmd);
-       if ((int)strlen(str) != PyString_Size(cmd)) {
+       if (strlen(str) != (size_t)PyString_Size(cmd)) {
                PyErr_SetString(PyExc_ValueError,
                           "embedded '\\0' in string arg");
                return NULL;
@@ -985,7 +985,7 @@ builtin_id(self, args)
 
        if (!PyArg_ParseTuple(args, "O:id", &v))
                return NULL;
-       return PyInt_FromLong((long)v);
+       return PyLong_FromVoidPtr(v);
 }
 
 static char id_doc[] =
@@ -1873,7 +1873,14 @@ builtin_raw_input(self, args)
                        result = NULL;
                }
                else { /* strip trailing '\n' */
-                       result = PyString_FromStringAndSize(s, strlen(s)-1);
+                       size_t len = strlen(s);
+                       if (len > INT_MAX) {
+                               PyErr_SetString(PyExc_OverflowError, "input too long");
+                               result = NULL;
+                       }
+                       else {
+                               result = PyString_FromStringAndSize(s, (int)(len-1));
+                       }
                }
                PyMem_FREE(s);
                return result;
Unnamed repository; edit this file 'description' to name the repository.