python version 2.4.3
Hello,
recently I came across the following bit of code in the
source file Objects/complexobject.c:
static void
complex_to_buf(char *buf, int bufsz, PyComplexObject
*v, int precision)
{
char format[32];
if (v->cval.real == 0.) {
PyOS_snprintf(format, 32, "%%.%ig",
precision);
PyOS_ascii_formatd(buf, bufsz, format,
v->cval.imag);
strncat(buf, "j", bufsz);
The strncat statement in the last line is potentially
unsafe: the size argument of strncat determines how
many characters are to be added maxmimally and not how
large the buffer is in total. Also there needs to be
space for an additional '\0' byte.
This seems currently not exploitable, because the
function 'complex_to_buf' is always called with a large
enough buffer, but it should be fixed any way (for
example to make sure that nobody copies this code for
use in another context).
I hope this helps,
Jochen
|