python accesses memory before short string when checking suffix

Bug #234798 reported by Ralph Corderoy
2
Affects Status Importance Assigned to Milestone
Python
Fix Released
Unknown
python2.5 (Ubuntu)
Low
Unassigned
python2.6 (Ubuntu)
Low
Unassigned

Bug Description

Binary package hint: python2.5

Ubuntu 8.04, python 2.5.2-0ubuntu1, python2.5 2.5.2-2ubuntu4.

Python/pythonrun.c's PyRun_SimpleFileExFlags() assumes the filename's extension
starts four characters back from the end. But what if the filename is only one
character long? Memory before the filename is referenced which is probably
outside the memory allocated for the string. Here's the relevant bits of code,
boring lines deleted.

    int
    PyRun_SimpleFileExFlags(FILE *fp, const char *filename, int closeit,
                            PyCompilerFlags *flags)
    {
        ext = filename + strlen(filename) - 4;
        if (maybe_pyc_file(fp, filename, ext, closeit)) {
            if (strcmp(ext, ".pyo") == 0)
                Py_OptimizeFlag = 1;
    }

    static int
    maybe_pyc_file(FILE *fp, const char* filename, const char* ext, int closeit)
    {
        if (strcmp(ext, ".pyc") == 0 || strcmp(ext, ".pyo") == 0)
            return 1;
    }

A trivial solution is:

    len = strlen(filename);
    ext = filename + len - len > 4 ? 4 : 0;

This will make ext point to the NUL terminator unless filename has room
for the desired /\.py[co]$/ suffix *and* at least one character
beforehand, since I don't suppose it's intended that ".pyo" is a valid
pyo file.

Matthias Klose (doko)
Changed in python2.5:
importance: Undecided → Low
status: New → Triaged
Changed in python:
status: Unknown → New
Matthias Klose (doko)
Changed in python2.6 (Ubuntu):
importance: Undecided → Low
status: New → In Progress
Changed in python2.5 (Ubuntu):
status: Triaged → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.5 - 2.5.4-1ubuntu4

---------------
python2.5 (2.5.4-1ubuntu4) jaunty; urgency=low

  * Fix issue #1651995, _convert_ref for non-ASCII characters. LP: #240929.
  * Fix issue #3845, in PyRun_SimpleFileExFlags avoid invalid memory access
    with short file names. LP: #234798.
  * Fix issue #1046, title endtag in HTMLCalender.formatyearpage().
    Closes: #513335.
  * Py_DECREF: Add `do { ... } while (0)' to avoid compiler warnings.
  * curses.initscr(): raise an error instead of calling exit() in error cases.
    Closes: #478817.
  * Fix comment macro in python manpage.

 -- Matthias Klose <email address hidden> Sat, 04 Apr 2009 19:09:56 +0200

Changed in python2.5 (Ubuntu):
status: In Progress → Fix Released
Changed in python:
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package python2.6 - 2.6.1-1ubuntu11

---------------
python2.6 (2.6.1-1ubuntu11) jaunty; urgency=low

  * Update to 20090405, taken from the 2.6 release branch.
    - Fix issue #1651995, _convert_ref for non-ASCII characters. LP: #240929.
    - Fix issue #3845, in PyRun_SimpleFileExFlags avoid invalid memory access
      with short file names. LP: #234798.
    - Fix issues #5190, #5444, #5471, #5615, #5617, #5631, #1326077, #1726172.
    - Fix documentation issues #3427, #4411, #4882, #5018, #5298, #5370,
      #5432, #5563, #5580, #5598, #5601, #5618, #5635, #5642, #5655, #1096310,
      #1530012, #1675026, #1718017, #1742837,
  * Fix issue #1113244: Py_XINCREF, Py_DECREF, Py_XDECREF: Add
   `do { ... } while (0)' to avoid compiler warnings. Closes: #516956.

 -- Matthias Klose <email address hidden> Mon, 06 Apr 2009 00:36:01 +0200

Changed in python2.6 (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.