Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 160679 Details for
Bug 232137
dev-lang/python Multiple vulnerabilities (CVE-2008-{3142,3143,3144})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
python-2.4.4-CVE-2008-3144.patch
python-2.4.4-CVE-2008-3144.patch (text/plain), 1.82 KB, created by
Robert Buchholz (RETIRED)
on 2008-07-18 02:26:26 UTC
(
hide
)
Description:
python-2.4.4-CVE-2008-3144.patch
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2008-07-18 02:26:26 UTC
Size:
1.82 KB
patch
obsolete
>r63883 | gregory.p.smith | 2008-06-02 02:07:25 +0200 (Mon, 02 Jun 2008) | 5 lines > >- Issue #2588, #2589: Fix potential integer underflow and overflow > conditions in the PyOS_vsnprintf C API function. > >This is a backport of r63728 and r63734 from trunk. > >Index: Python-2.4.4/Python/mysnprintf.c >=================================================================== >--- Python-2.4.4.orig/Python/mysnprintf.c >+++ Python-2.4.4/Python/mysnprintf.c >@@ -54,18 +54,28 @@ int > PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) > { > int len; /* # bytes written, excluding \0 */ >-#ifndef HAVE_SNPRINTF >+#ifdef HAVE_SNPRINTF >+#define _PyOS_vsnprintf_EXTRA_SPACE 1 >+#else >+#define _PyOS_vsnprintf_EXTRA_SPACE 512 > char *buffer; > #endif > assert(str != NULL); > assert(size > 0); > assert(format != NULL); >+ /* We take a size_t as input but return an int. Sanity check >+ * our input so that it won't cause an overflow in the >+ * vsnprintf return value or the buffer malloc size. */ >+ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { >+ len = -666; >+ goto Done; >+ } > > #ifdef HAVE_SNPRINTF > len = vsnprintf(str, size, format, va); > #else > /* Emulate it. */ >- buffer = PyMem_MALLOC(size + 512); >+ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); > if (buffer == NULL) { > len = -666; > goto Done; >@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, c > if (len < 0) > /* ignore the error */; > >- else if ((size_t)len >= size + 512) >+ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) > Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); > > else { >@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, c > str[to_copy] = '\0'; > } > PyMem_FREE(buffer); >-Done: > #endif >- str[size-1] = '\0'; >+Done: >+ if (size > 0) >+ str[size-1] = '\0'; > return len; >+#undef _PyOS_vsnprintf_EXTRA_SPACE > }
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 232137
: 160679 |
161577
|
161579