From 35baa89b31f5f30f67d0da378da5ab44885dfc5a Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 7 Aug 2008 11:20:18 +0000 Subject: Add a patch from the upstream 2.5 branch (svn rev.63883) to fix an integer overflow in the vsnprintf replacement function. This is likely not a real problem, and the patch wasn't pulled to the upstream 2.4 branch, but so we can formally declare our 2.4 as not vulnerable now. --- lang/python24/distinfo | 3 ++- lang/python24/patches/patch-bm | 57 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+), 1 deletion(-) create mode 100644 lang/python24/patches/patch-bm diff --git a/lang/python24/distinfo b/lang/python24/distinfo index ea4cd5d3e18..3ab2be080be 100644 --- a/lang/python24/distinfo +++ b/lang/python24/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.30 2008/08/05 10:45:45 drochner Exp $ +$NetBSD: distinfo,v 1.31 2008/08/07 11:20:18 drochner Exp $ SHA1 (Python-2.4.5.tar.bz2) = 6e9e1ac2b70cc10c36063a25ab5a5ddb53177107 RMD160 (Python-2.4.5.tar.bz2) = b43f2114697be751f03ec7cfb46f8c4946a73097 @@ -35,3 +35,4 @@ SHA1 (patch-bi) = 735906d3fb35bfe0d3b8d410b3a240e358215e05 SHA1 (patch-bj) = ee23fac376746e48ee00e73b9ecc688086b7bc98 SHA1 (patch-bk) = 4af3c66a3f6b773dc5fc14943a36b0906024e885 SHA1 (patch-bl) = 9a192f5f4afd4296493599414a714bba6085d897 +SHA1 (patch-bm) = bd8a9f5b2cc3909bc69d9b585b42643057dae646 diff --git a/lang/python24/patches/patch-bm b/lang/python24/patches/patch-bm new file mode 100644 index 00000000000..2c1de4873a1 --- /dev/null +++ b/lang/python24/patches/patch-bm @@ -0,0 +1,57 @@ +$NetBSD: patch-bm,v 1.1 2008/08/07 11:20:18 drochner Exp $ + +--- Python/mysnprintf.c.orig 2001-12-21 17:32:15.000000000 +0100 ++++ Python/mysnprintf.c +@@ -54,18 +54,28 @@ int + PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va) + { + int len; /* # bytes written, excluding \0 */ +-#ifndef HAVE_SNPRINTF ++#ifdef HAVE_SNPRINTF ++#define _PyOS_vsnprintf_EXTRA_SPACE 1 ++#else ++#define _PyOS_vsnprintf_EXTRA_SPACE 512 + char *buffer; + #endif + assert(str != NULL); + assert(size > 0); + assert(format != NULL); ++ /* We take a size_t as input but return an int. Sanity check ++ * our input so that it won't cause an overflow in the ++ * vsnprintf return value or the buffer malloc size. */ ++ if (size > INT_MAX - _PyOS_vsnprintf_EXTRA_SPACE) { ++ len = -666; ++ goto Done; ++ } + + #ifdef HAVE_SNPRINTF + len = vsnprintf(str, size, format, va); + #else + /* Emulate it. */ +- buffer = PyMem_MALLOC(size + 512); ++ buffer = PyMem_MALLOC(size + _PyOS_vsnprintf_EXTRA_SPACE); + if (buffer == NULL) { + len = -666; + goto Done; +@@ -75,7 +85,7 @@ PyOS_vsnprintf(char *str, size_t size, c + if (len < 0) + /* ignore the error */; + +- else if ((size_t)len >= size + 512) ++ else if ((size_t)len >= size + _PyOS_vsnprintf_EXTRA_SPACE) + Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); + + else { +@@ -86,8 +96,10 @@ PyOS_vsnprintf(char *str, size_t size, c + str[to_copy] = '\0'; + } + PyMem_FREE(buffer); +-Done: + #endif +- str[size-1] = '\0'; ++Done: ++ if (size > 0) ++ str[size-1] = '\0'; + return len; ++#undef _PyOS_vsnprintf_EXTRA_SPACE + } -- cgit v1.2.3