buffer overflow in traceback.c

[aleaxit]

BPO	485175
Nosy	@tim-one, @aleaxit

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields: ```python assignee = 'https://github.com/tim-one' closed_at = created_at = labels = ['interpreter-core'] title = 'buffer overflow in traceback.c' updated_at = user = 'https://github.com/aleaxit' ``` bugs.python.org fields: ```python activity = actor = 'tim.peters' assignee = 'tim.peters' closed = True closed_date = None closer = None components = ['Interpreter Core'] creation = creator = 'aleax' dependencies = [] files = [] hgrepos = [] issue_num = 485175 keywords = [] message_count = 3.0 messages = ['7751', '7752', '7753'] nosy_count = 2.0 nosy_names = ['tim.peters', 'aleax'] pr_nums = [] priority = 'normal' resolution = 'fixed' stage = None status = 'closed' superseder = None type = None url = 'https://bugs.python.org/issue485175' versions = ['Python 2.2'] ```

[aleaxit]

Running this script:

name = 'prova'*200

fou = open('fatto.py','w')
print>>fou, 'def',name,'():\n  return 1/0'
fou.close()

import fatto
print 'prima (%d)'%len(name)
funz = getattr(fatto, name)
try:
    funz()
except:
    print 'beccato'
    raise

Python exits with a segfault. Cause: buffer overflow in traceback.c line 157, the only sprintf -- FMT (wrongly, I surmise) does not limit the number of characters it tries to write to linebuf from argument name, an unbounded-length string (the co_name).

[tim-one]

Logged In: YES user_id=31435

Reproduced the problem and assigned to me.

[tim-one]

Logged In: YES user_id=31435

Fixed, in

Misc/ACKS; new revision: 1.138 Python/traceback.c; new revision: 2.35

The format now limits file and function names to 500 chars each (and the size of the buffer was boosted accordingly).