New submission from Matthias Klose <[EMAIL PROTECTED]>:
forwarded from https://launchpad.net/bugs/234798
Bug reporter writes:
Python/pythonrun.c's PyRun_SimpleFileExFlags() assumes the filename's
extension
starts four characters back from the end. But what if the filename is
only one
character long? Memory before the filename is referenced which is probably
outside the memory allocated for the string. Here's the relevant bits of
code,
boring lines deleted.
int
PyRun_SimpleFileExFlags(FILE *fp, const char *filename, int closeit,
PyCompilerFlags *flags)
{
ext = filename + strlen(filename) - 4;
if (maybe_pyc_file(fp, filename, ext, closeit)) {
if (strcmp(ext, ".pyo") == 0)
Py_OptimizeFlag = 1;
}
static int
maybe_pyc_file(FILE *fp, const char* filename, const char* ext, int
closeit)
{
if (strcmp(ext, ".pyc") == 0 || strcmp(ext, ".pyo") == 0)
return 1;
}
A trivial solution is:
len = strlen(filename);
ext = filename + len - len > 4 ? 4 : 0;
This will make ext point to the NUL terminator unless filename has room
for the desired /\.py[co]$/ suffix *and* at least one character
beforehand, since I don't suppose it's intended that ".pyo" is a valid
pyo file.
----------
components: Interpreter Core
messages: 73083
nosy: doko
severity: normal
status: open
title: memory access before short string when checking suffix
versions: Python 2.5, Python 2.6
_______________________________________
Python tracker <[EMAIL PROTECTED]>
<http://bugs.python.org/issue3845>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
