python version 2.4.3

Hello,

recently I came across the following bit of code in the
source file Objects/complexobject.c:

static void
complex_to_buf(char *buf, int bufsz, PyComplexObject
*v, int precision)
{
        char format[32];
        if (v->cval.real == 0.) {
                PyOS_snprintf(format, 32, "%%.%ig",
precision);
                PyOS_ascii_formatd(buf, bufsz, format,
v->cval.imag);
                strncat(buf, "j", bufsz);

The strncat statement in the last line is potentially
unsafe: the size argument of strncat determines how
many characters are to be added maxmimally and not how
large the buffer is in total.  Also there needs to be
space for an additional '\0' byte.

This seems currently not exploitable, because the
function 'complex_to_buf' is always called with a large
enough buffer, but it should be fixed any way (for
example to make sure that nobody copies this code for
use in another context).

I hope this helps,
Jochen

Logged In: YES 
user_id=11375

I believe this is fixed in Python 2.4.4 and Python 2.5; a
static analysis tool reported the problem.   Please take a
look at the current trunk version at
http://svn.python.org/view/python/trunk/Objects/complexobject.c?rev=50679&view=log,
and see if the code seems safe now.

Logged In: YES 
user_id=1312539

This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).