Issue 3845: memory access before short string when checking suffix (original) (raw)

forwarded from https://launchpad.net/bugs/234798

Bug reporter writes:

Python/pythonrun.c's PyRun_SimpleFileExFlags() assumes the filename's extension starts four characters back from the end. But what if the filename is only one character long? Memory before the filename is referenced which is probably outside the memory allocated for the string. Here's the relevant bits of code, boring lines deleted.

int
PyRun_SimpleFileExFlags(FILE *fp, const char *filename, int closeit,
                        PyCompilerFlags *flags)
{
    ext = filename + strlen(filename) - 4;
    if (maybe_pyc_file(fp, filename, ext, closeit)) {
        if (strcmp(ext, ".pyo") == 0)
            Py_OptimizeFlag = 1;
}

static int
maybe_pyc_file(FILE *fp, const char* filename, const char* ext, int

closeit) { if (strcmp(ext, ".pyc") == 0 || strcmp(ext, ".pyo") == 0) return 1; }

A trivial solution is:

len = strlen(filename);
ext = filename + len - len > 4 ? 4 : 0;

This will make ext point to the NUL terminator unless filename has room for the desired /.py[co]$/ suffix and at least one character beforehand, since I don't suppose it's intended that ".pyo" is a valid pyo file.