Fixes for possible buffer overflows in sprintf() usages.
diff --git a/Python/compile.c b/Python/compile.c
index b477513..1104def 100644
--- a/Python/compile.c
+++ b/Python/compile.c
@@ -4195,7 +4195,7 @@
return GLOBAL_IMPLICIT;
}
}
- sprintf(buf,
+ PyOS_snprintf(buf, sizeof(buf),
"unknown scope for %.100s in %.100s(%s) "
"in %s\nsymbols: %s\nlocals: %s\nglobals: %s\n",
name, c->c_name,
diff --git a/Python/dynload_os2.c b/Python/dynload_os2.c
index 24ad74e..a3eb468 100644
--- a/Python/dynload_os2.c
+++ b/Python/dynload_os2.c
@@ -32,7 +32,7 @@
if (rc != NO_ERROR) {
char errBuf[256];
sprintf(errBuf,
- "DLL load failed, rc = %d: %s",
+ "DLL load failed, rc = %d: %.200s",
rc, failreason);
PyErr_SetString(PyExc_ImportError, errBuf);
return NULL;
diff --git a/Python/dynload_win.c b/Python/dynload_win.c
index a5a65cf..155a9d6 100644
--- a/Python/dynload_win.c
+++ b/Python/dynload_win.c
@@ -232,7 +232,7 @@
if (import_python &&
strcasecmp(buffer,import_python)) {
sprintf(buffer,
- "Module use of %s conflicts "
+ "Module use of %.150s conflicts "
"with this version of Python.",
import_python);
PyErr_SetString(PyExc_ImportError,buffer);
diff --git a/Python/getargs.c b/Python/getargs.c
index 248def3..c80ca58 100644
--- a/Python/getargs.c
+++ b/Python/getargs.c
@@ -1,11 +1,6 @@
/* New getargs implementation */
-/* XXX There are several unchecked sprintf or strcat calls in this file.
- XXX The only way these can become a danger is if some C code in the
- XXX Python source (or in an extension) uses ridiculously long names
- XXX or ridiculously deep nesting in format strings. */
-
#include "Python.h"
#include <ctype.h>
@@ -140,7 +135,7 @@
if (max == 0) {
if (args == NULL)
return 1;
- sprintf(msgbuf, "%s%s takes no arguments",
+ sprintf(msgbuf, "%.200s%s takes no arguments",
fname==NULL ? "function" : fname,
fname==NULL ? "" : "()");
PyErr_SetString(PyExc_TypeError, msgbuf);
@@ -149,7 +144,7 @@
else if (min == 1 && max == 1) {
if (args == NULL) {
sprintf(msgbuf,
- "%s%s takes at least one argument",
+ "%.200s%s takes at least one argument",
fname==NULL ? "function" : fname,
fname==NULL ? "" : "()");
PyErr_SetString(PyExc_TypeError, msgbuf);
@@ -179,7 +174,7 @@
if (len < min || max < len) {
if (message == NULL) {
sprintf(msgbuf,
- "%s%s takes %s %d argument%s (%d given)",
+ "%.150s%s takes %s %d argument%s (%d given)",
fname==NULL ? "function" : fname,
fname==NULL ? "" : "()",
min==max ? "exactly"
@@ -220,7 +215,7 @@
static void
seterror(int iarg, char *msg, int *levels, char *fname, char *message)
{
- char buf[256];
+ char buf[512];
int i;
char *p = buf;
@@ -228,14 +223,14 @@
return;
else if (message == NULL) {
if (fname != NULL) {
- sprintf(p, "%s() ", fname);
+ sprintf(p, "%.200s() ", fname);
p += strlen(p);
}
if (iarg != 0) {
sprintf(p, "argument %d", iarg);
i = 0;
p += strlen(p);
- while (levels[i] > 0) {
+ while (levels[i] > 0 && (int)(p-buf) < 220) {
sprintf(p, ", item %d", levels[i]-1);
p += strlen(p);
i++;
@@ -245,7 +240,7 @@
sprintf(p, "argument");
p += strlen(p);
}
- sprintf(p, " %s", msg);
+ sprintf(p, " %.256s", msg);
message = buf;
}
PyErr_SetString(PyExc_TypeError, message);
@@ -300,8 +295,8 @@
if (!PySequence_Check(arg) || PyString_Check(arg)) {
levels[0] = 0;
sprintf(msgbuf,
- toplevel ? "expected %d arguments, not %s" :
- "must be %d-item sequence, not %s",
+ toplevel ? "expected %d arguments, not %.50s" :
+ "must be %d-item sequence, not %.50s",
n, arg == Py_None ? "None" : arg->ob_type->tp_name);
return msgbuf;
}