Closed aleaxit closed 22 years ago
Running this script:
name = 'prova'*200
fou = open('fatto.py','w')
print>>fou, 'def',name,'():\n return 1/0'
fou.close()
import fatto
print 'prima (%d)'%len(name)
funz = getattr(fatto, name)
try:
funz()
except:
print 'beccato'
raise
Python exits with a segfault. Cause: buffer overflow in traceback.c line 157, the only sprintf -- FMT (wrongly, I surmise) does not limit the number of characters it tries to write to linebuf from argument name, an unbounded-length string (the co_name).
Logged In: YES user_id=31435
Reproduced the problem and assigned to me.
Logged In: YES user_id=31435
Fixed, in
Misc/ACKS; new revision: 1.138 Python/traceback.c; new revision: 2.35
The format now limits file and function names to 500 chars each (and the size of the buffer was boosted accordingly).
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields: ```python assignee = 'https://github.com/tim-one' closed_at =
created_at =
labels = ['interpreter-core']
title = 'buffer overflow in traceback.c'
updated_at =
user = 'https://github.com/aleaxit'
```
bugs.python.org fields:
```python
activity =
actor = 'tim.peters'
assignee = 'tim.peters'
closed = True
closed_date = None
closer = None
components = ['Interpreter Core']
creation =
creator = 'aleax'
dependencies = []
files = []
hgrepos = []
issue_num = 485175
keywords = []
message_count = 3.0
messages = ['7751', '7752', '7753']
nosy_count = 2.0
nosy_names = ['tim.peters', 'aleax']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue485175'
versions = ['Python 2.2']
```