From c6dd415252f255b583fcdae5d51a28e027284b06 Mon Sep 17 00:00:00 2001 From: Steve Dower Date: Thu, 27 Oct 2016 14:28:07 -0700 Subject: Issue #28522: Fixes mishandled buffer reallocation in getpathp.c --- PC/getpathp.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) (limited to 'PC') diff --git a/PC/getpathp.c b/PC/getpathp.c index 31f973eedb..0b0ae49739 100644 --- a/PC/getpathp.c +++ b/PC/getpathp.c @@ -581,7 +581,8 @@ read_pth_file(const wchar_t *path, wchar_t *prefix, int *isolated, int *nosite) wn = MultiByteToWideChar(CP_UTF8, 0, line, -1, wline, wn + 1); wline[wn] = '\0'; - while (wn + prefixlen + 4 > bufsiz) { + size_t usedsiz = wcslen(buf); + while (usedsiz + wn + prefixlen + 4 > bufsiz) { bufsiz += MAXPATHLEN; buf = (wchar_t*)PyMem_RawRealloc(buf, (bufsiz + 1) * sizeof(wchar_t)); if (!buf) { @@ -590,11 +591,21 @@ read_pth_file(const wchar_t *path, wchar_t *prefix, int *isolated, int *nosite) } } - if (buf[0]) + if (usedsiz) { wcscat_s(buf, bufsiz, L";"); + usedsiz += 1; + } - wchar_t *b = &buf[wcslen(buf)]; - wcscat_s(buf, bufsiz, prefix); + errno_t result; + _Py_BEGIN_SUPPRESS_IPH + result = wcscat_s(buf, bufsiz, prefix); + _Py_END_SUPPRESS_IPH + if (result == EINVAL) { + Py_FatalError("invalid argument during ._pth processing"); + } else if (result == ERANGE) { + Py_FatalError("buffer overflow during ._pth processing"); + } + wchar_t *b = &buf[usedsiz]; join(b, wline); PyMem_RawFree(wline); -- cgit v1.2.1