Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an

integer overflow in the vsnprintf replacement function.
This is likely not a real problem, and the patch wasn't pulled to
the upstream 2.4 branch, but so we can formally declare our 2.4
as not vulnerable now.

2 files changed, 59 insertions, 1 deletions

diff --git a/lang/python24/distinfo b/lang/python24/distinfo
index ea4cd5d3e18..3ab2be080be 100644
--- a/lang/python24/distinfo
+++ b/lang/python24/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $
+$NetBSD: distinfo,v 1.31 2008/08/07 11:20:18 drochner Exp $
 
 SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107
 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097
@@ -35,3 +35,4 @@ SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05
 SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98
 SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885
 SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897
+SHA1 (patch-bm) = bd8a9f5b2cc3909bc69d9b585b42643057dae646
diff --git a/lang/python24/patches/patch-bm b/lang/python24/patches/patch-bm
new file mode 100644
index 00000000000..2c1de4873a1
--- /dev/null
+++ b/lang/python24/patches/patch-bm
@@ -0,0 +1,57 @@
+$NetBSD: patch-bm,v 1.1 2008/08/07 11:20:18 drochner Exp $
+
+--- Python/mysnprintf.c.orig	2001-12-21 17:32:15.000000000 +0100
++++ Python/mysnprintf.c
+@@ -54,18 +54,28 @@ int
+ PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
+ {
+ 	int len;  /* # bytes written, excluding \0 */
+-#ifndef HAVE_SNPRINTF
++#ifdef HAVE_SNPRINTF
++#define _PyOS_vsnprintf_EXTRA_SPACE 1
++#else
++#define _PyOS_vsnprintf_EXTRA_SPACE 512
+ 	char *buffer;
+ #endif
+ 	assert(str != NULL);
+ 	assert(size > 0);
+ 	assert(format != NULL);
++	/* We take a size_t as input but return an int.  Sanity check
++	 * our input so that it won't cause an overflow in the
++         * vsnprintf return value or the buffer malloc size.  */
++	if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) {
++		len = -666;
++		goto Done;
++	}
+ 
+ #ifdef HAVE_SNPRINTF
+ 	len = vsnprintf(str, size, format, va);
+ #else
+ 	/* Emulate it. */
+-	buffer = PyMem_MALLOC(size + 512);
++	buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE);
+ 	if (buffer == NULL) {
+ 		len = -666;
+ 		goto Done;
+@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, c
+ 	if (len < 0)
+ 		/* ignore the error */;
+ 
+-	else if ((size_t)len >= size + 512)
++	else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE)
+ 		Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf");
+ 
+ 	else {
+@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, c
+ 		str[to_copy] = '\0';
+ 	}
+ 	PyMem_FREE(buffer);
+-Done:
+ #endif
+-	str[size-1] = '\0';
++Done:
++	if (size > 0)
++		str[size-1] = '\0';
+ 	return len;
++#undef _PyOS_vsnprintf_EXTRA_SPACE
+ }