From: Guido van Rossum <guido@python.org>
Date: Wed, 28 Jun 2000 21:12:25 +0000 (+0000)
Subject: Trent Mick:
X-Git-Tag: v2.0b1~1353
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=106f2dae868770f6b6ed2c949dd5b4deb07b880b;p=python

Trent Mick:

Various small fixes to the builtin module to ensure no buffer
overflows.

- chunk #1:
Proper casting to ensure no truncation, and hence no surprises, in the
comparison.

- chunk #2:
The id() function guarantees a unique return value for different
objects.  It does this by returning the pointer to the object. By
returning a PyInt, on Win64 (sizeof(long) < sizeof(void*)) the pointer
is truncated and the guarantee may be proven false. The appropriate
return function is PyLong_FromVoidPtr, this returns a PyLong if that
is necessary to return the pointer without truncation.

[GvR: note that this means that id() can now return a long on Win32
platforms.  This *might* break some code...]

- chunk #3:
Ensure no overflow in raw_input(). Granted the user would have to pass
in >2GB of data but it *is* a possible buffer overflow condition.
---

diff --git a/Python/bltinmodule.c b/Python/bltinmodule.c
index 6d2a0fcde0..bcde319f21 100644
--- a/Python/bltinmodule.c
+++ b/Python/bltinmodule.c
@@ -832,7 +832,7 @@ builtin_eval(self, args)
 		return NULL;
 	}
 	str = PyString_AsString(cmd);
-	if ((int)strlen(str) != PyString_Size(cmd)) {
+	if (strlen(str) != (size_t)PyString_Size(cmd)) {
 		PyErr_SetString(PyExc_ValueError,
 			   "embedded '\\0' in string arg");
 		return NULL;
@@ -985,7 +985,7 @@ builtin_id(self, args)
 
 	if (!PyArg_ParseTuple(args, "O:id", &v))
 		return NULL;
-	return PyInt_FromLong((long)v);
+	return PyLong_FromVoidPtr(v);
 }
 
 static char id_doc[] =
@@ -1873,7 +1873,14 @@ builtin_raw_input(self, args)
 			result = NULL;
 		}
 		else { /* strip trailing '\n' */
-			result = PyString_FromStringAndSize(s, strlen(s)-1);
+			size_t len = strlen(s);
+			if (len > INT_MAX) {
+				PyErr_SetString(PyExc_OverflowError, "input too long");
+				result = NULL;
+			}
+			else {
+				result = PyString_FromStringAndSize(s, (int)(len-1));
+			}
 		}
 		PyMem_FREE(s);
 		return result;