commit c6dd415252f255b583fcdae5d51a28e027284b06
author Steve Dower <steve.dower@microsoft.com> Thu Oct 27 14:28:07 2016 -0700
committer Steve Dower <steve.dower@microsoft.com> Thu Oct 27 14:28:07 2016 -0700
tree 472f56f3e818640de306b3d1ac2181e40a0e93ac
parent e45ef4e54cc408e1243e57eb2287c087fa81a0d4

Issue #28522: Fixes mishandled buffer reallocation in getpathp.c

PC/getpathp.c

diff --git a/PC/getpathp.c b/PC/getpathp.c
index 31f973e..0b0ae49 100644
--- a/PC/getpathp.c
+++ b/PC/getpathp.c
@@ -581,7 +581,8 @@
         wn = MultiByteToWideChar(CP_UTF8, 0, line, -1, wline, wn + 1);
         wline[wn] = '\0';
 
-        while (wn + prefixlen + 4 > bufsiz) {
+        size_t usedsiz = wcslen(buf);
+        while (usedsiz + wn + prefixlen + 4 > bufsiz) {
             bufsiz += MAXPATHLEN;
             buf = (wchar_t*)PyMem_RawRealloc(buf, (bufsiz + 1) * sizeof(wchar_t));
             if (!buf) {
@@ -590,11 +591,21 @@
             }
         }
 
-        if (buf[0])
+        if (usedsiz) {
             wcscat_s(buf, bufsiz, L";");
+            usedsiz += 1;
+        }
 
-        wchar_t *b = &buf[wcslen(buf)];
-        wcscat_s(buf, bufsiz, prefix);
+        errno_t result;
+        _Py_BEGIN_SUPPRESS_IPH
+        result = wcscat_s(buf, bufsiz, prefix);
+        _Py_END_SUPPRESS_IPH
+        if (result == EINVAL) {
+            Py_FatalError("invalid argument during ._pth processing");
+        } else if (result == ERANGE) {
+            Py_FatalError("buffer overflow during ._pth processing");
+        }
+        wchar_t *b = &buf[usedsiz];
         join(b, wline);
 
         PyMem_RawFree(wline);