Fix various potential buffer overrun problems.

6c849697 · Guido van Rossum · 138d72f6 · 6c849697
Kaydet (Commit) 6c849697 authored Eyl 26, 1994 tarafından Guido van Rossum
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 9 deletions

import.c Python/import.c +18 -9

No files found.
--- a/Python/import.c
+++ b/Python/import.c
@@ -167,8 +167,12 @@ extern char *getprogramname();

 #endif /* DYNAMIC_LINK */

-/* Magic word to reject .pyc files generated by other Python versions */
+/* Max length of module suffix searched for -- accommodates "module.so" */
+#ifndef MAXSUFFIXSIZE
+#define MAXSUFFIXSIZE 10
+#endif

+/* Magic word to reject .pyc files generated by other Python versions */
 #define MAGIC 0x999903L /* Increment by one for each incompatible change */

 static object *modules;
@@ -355,7 +359,7 @@ load_dynamic_module(name, namebuf, m, m_ret)
                        char buf[256];
                        if (verbose)
                                perror(namebuf);
-                        sprintf(buf,"Failed to load %s", namebuf);
+                        sprintf(buf, "Failed to load %.200s", namebuf);
                        err_setstr(ImportError, buf);
                        return NULL;
                }
@@ -396,7 +400,7 @@ get_module(m, name, m_ret)
 	char *name;
 	object **m_ret;
 {
-	int err, npath, i, len;
+	int err, npath, i, len, namelen;
 	long magic;
 	long mtime, pyc_mtime;
 	char namebuf[MAXPATHLEN+1];
@@ -413,16 +417,21 @@ get_module(m, name, m_ret)
 		return NULL;
 	}
 	npath = getlistsize(path);
+	namelen = strlen(name);
 	for (i = 0; i < npath; i++) {
 		v = getlistitem(path, i);
 		if (!is_stringobject(v))
 			continue;
-		strcpy(namebuf, getstringvalue(v));
 		len = getstringsize(v);
+		if (len + 1 + namelen + MAXSUFFIXSIZE >= MAXPATHLEN)
+			continue; /* Too long */
+		strcpy(namebuf, getstringvalue(v));
+		if (strlen(namebuf) != len)
+			continue; /* v contains '\0' */
 		if (len > 0 && namebuf[len-1] != SEP)
 			namebuf[len++] = SEP;
 		strcpy(namebuf+len, name);
-		len += strlen(name);
+		len += namelen;
 		for (fdp = filetab; fdp->suffix != NULL; fdp++) {
 			strcpy(namebuf+len, fdp->suffix);
 			if (verbose > 1)
@@ -435,7 +444,7 @@ get_module(m, name, m_ret)
 			break;
 	}
 	if (fp == NULL) {
-		sprintf(namebuf, "No module named %s", name);
+		sprintf(namebuf, "No module named %.200s", name);
 		err_setstr(ImportError, namebuf);
 		return NULL;
 	}
@@ -761,9 +770,9 @@ void aix_loaderror(char *namebuf)
 	};

 #define LOAD_ERRTAB_LEN	(sizeof(load_errtab)/sizeof(load_errtab[0]))
-#define ERRBUF_APPEND(s)	strncat(errbuf, s, sizeof(errbuf))
+#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)-strlen(errbuf)-1)

-	sprintf(errbuf, " from module %s ", namebuf);
+	sprintf(errbuf, " from module %.200s ", namebuf);

 	if (!loadquery(1, &message[0], sizeof(message))) 
 		ERRBUF_APPEND(strerror(errno));
@@ -777,7 +786,7 @@ void aix_loaderror(char *namebuf)
 		ERRBUF_APPEND(message[i]);
 		ERRBUF_APPEND("\n");
 	}
-	errbuf[strlen(errbuf)-1] = '\0' ;	/* trim off last newline */
+	errbuf[strlen(errbuf)-1] = '\0';	/* trim off last newline */
 	err_setstr(ImportError, errbuf); 
 	return; 
 }