From 106f2dae868770f6b6ed2c949dd5b4deb07b880b Mon Sep 17 00:00:00 2001 From: Guido van Rossum Date: Wed, 28 Jun 2000 21:12:25 +0000 Subject: [PATCH] Trent Mick: Various small fixes to the builtin module to ensure no buffer overflows. - chunk #1: Proper casting to ensure no truncation, and hence no surprises, in the comparison. - chunk #2: The id() function guarantees a unique return value for different objects. It does this by returning the pointer to the object. By returning a PyInt, on Win64 (sizeof(long) < sizeof(void*)) the pointer is truncated and the guarantee may be proven false. The appropriate return function is PyLong_FromVoidPtr, this returns a PyLong if that is necessary to return the pointer without truncation. [GvR: note that this means that id() can now return a long on Win32 platforms. This *might* break some code...] - chunk #3: Ensure no overflow in raw_input(). Granted the user would have to pass in >2GB of data but it *is* a possible buffer overflow condition. --- Python/bltinmodule.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Python/bltinmodule.c b/Python/bltinmodule.c index 6d2a0fcde0..bcde319f21 100644 --- a/Python/bltinmodule.c +++ b/Python/bltinmodule.c @@ -832,7 +832,7 @@ builtin_eval(self, args) return NULL; } str = PyString_AsString(cmd); - if ((int)strlen(str) != PyString_Size(cmd)) { + if (strlen(str) != (size_t)PyString_Size(cmd)) { PyErr_SetString(PyExc_ValueError, "embedded '\\0' in string arg"); return NULL; @@ -985,7 +985,7 @@ builtin_id(self, args) if (!PyArg_ParseTuple(args, "O:id", &v)) return NULL; - return PyInt_FromLong((long)v); + return PyLong_FromVoidPtr(v); } static char id_doc[] = @@ -1873,7 +1873,14 @@ builtin_raw_input(self, args) result = NULL; } else { /* strip trailing '\n' */ - result = PyString_FromStringAndSize(s, strlen(s)-1); + size_t len = strlen(s); + if (len > INT_MAX) { + PyErr_SetString(PyExc_OverflowError, "input too long"); + result = NULL; + } + else { + result = PyString_FromStringAndSize(s, (int)(len-1)); + } } PyMem_FREE(s); return result; -- 2.40.0