diff options
author | drochner <drochner@pkgsrc.org> | 2008-08-07 11:20:18 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2008-08-07 11:20:18 +0000 |
commit | 35baa89b31f5f30f67d0da378da5ab44885dfc5a (patch) | |
tree | ef5059a38a6fb3646ed4c113d47a71f5f783ac73 /lang/python24 | |
parent | f5db990c23a9e8307b94f3503f0038765ef626c7 (diff) | |
download | pkgsrc-35baa89b31f5f30f67d0da378da5ab44885dfc5a.tar.gz |
Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an
integer overflow in the vsnprintf replacement function.
This is likely not a real problem, and the patch wasn't pulled to
the upstream 2.4 branch, but so we can formally declare our 2.4
as not vulnerable now.
Diffstat (limited to 'lang/python24')
-rw-r--r-- | lang/python24/distinfo | 3 | ||||
-rw-r--r-- | lang/python24/patches/patch-bm | 57 |
2 files changed, 59 insertions, 1 deletions
diff --git a/lang/python24/distinfo b/lang/python24/distinfo index ea4cd5d3e18..3ab2be080be 100644 --- a/lang/python24/distinfo +++ b/lang/python24/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $ +$NetBSD: distinfo,v 1.31 2008/08/07 11:20:18 drochner Exp $ SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097 @@ -35,3 +35,4 @@ SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05 SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98 SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885 SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897 +SHA1 (patch-bm) = bd8a9f5b2cc3909bc69d9b585b42643057dae646 diff --git a/lang/python24/patches/patch-bm b/lang/python24/patches/patch-bm new file mode 100644 index 00000000000..2c1de4873a1 --- /dev/null +++ b/lang/python24/patches/patch-bm @@ -0,0 +1,57 @@ +$NetBSD: patch-bm,v 1.1 2008/08/07 11:20:18 drochner Exp $ + +--- Python/mysnprintf.c.orig 2001-12-21 17:32:15.000000000 +0100 ++++ Python/mysnprintf.c +@@ -54,18 +54,28 @@ int + PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) + { + int len; /* # bytes written, excluding \0 */ +-#ifndef HAVE_SNPRINTF ++#ifdef HAVE_SNPRINTF ++#define _PyOS_vsnprintf_EXTRA_SPACE 1 ++#else ++#define _PyOS_vsnprintf_EXTRA_SPACE 512 + char *buffer; + #endif + assert(str != NULL); + assert(size > 0); + assert(format != NULL); ++ /* We take a size_t as input but return an int. Sanity check ++ * our input so that it won't cause an overflow in the ++ * vsnprintf return value or the buffer malloc size. */ ++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { ++ len = -666; ++ goto Done; ++ } + + #ifdef HAVE_SNPRINTF + len = vsnprintf(str, size, format, va); + #else + /* Emulate it. */ +- buffer = PyMem_MALLOC(size + 512); ++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); + if (buffer == NULL) { + len = -666; + goto Done; +@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, c + if (len < 0) + /* ignore the error */; + +- else if ((size_t)len >= size + 512) ++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) + Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); + + else { +@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, c + str[to_copy] = '\0'; + } + PyMem_FREE(buffer); +-Done: + #endif +- str[size-1] = '\0'; ++Done: ++ if (size > 0) ++ str[size-1] = '\0'; + return len; ++#undef _PyOS_vsnprintf_EXTRA_SPACE + } |