Issue 1576861: potential buffer overflow in complexobject.c (original) (raw)

python version 2.4.3

Hello,

recently I came across the following bit of code in the source file Objects/complexobject.c:

static void complex_to_buf(char *buf, int bufsz, PyComplexObject *v, int precision) { char format[32]; if (v->cval.real == 0.) { PyOS_snprintf(format, 32, "%%.%ig", precision); PyOS_ascii_formatd(buf, bufsz, format, v->cval.imag); strncat(buf, "j", bufsz);

The strncat statement in the last line is potentially unsafe: the size argument of strncat determines how many characters are to be added maxmimally and not how large the buffer is in total. Also there needs to be space for an additional '\0' byte.

This seems currently not exploitable, because the function 'complex_to_buf' is always called with a large enough buffer, but it should be fixed any way (for example to make sure that nobody copies this code for use in another context).

I hope this helps, Jochen