gh-42400: Fix buffer overflow in _Py_wrealpath() for very long paths (#141529)

Co-authored-by: Victor Stinner <vstinner@python.org>

diff --git a/Misc/NEWS.d/next/Security/2025-11-13-22-31-56.gh-issue-42400.pqB5Kq.rst b/Misc/NEWS.d/next/Security/2025-11-13-22-31-56.gh-issue-42400.pqB5Kq.rst
new file mode 100644 (file)
index 0000000..17dc241
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2025-11-13-22-31-56.gh-issue-42400.pqB5Kq.rst
@@ -0,0 +1,3 @@
+Fix buffer overflow in ``_Py_wrealpath()`` for paths exceeding ``MAXPATHLEN`` bytes
+by using dynamic memory allocation instead of fixed-size buffer.
+Patch by Shamil Abdulaev.

diff --git a/Python/fileutils.c b/Python/fileutils.c
index 93abd70a34d420c91c71d7a7548a198c48bcc0da..0c1766b88045002d25cbf207006f118739c55a1b 100644 (file)
--- a/Python/fileutils.c
+++ b/Python/fileutils.c
@@ -2118,7 +2118,6 @@ _Py_wrealpath(const wchar_t *path,
               wchar_t *resolved_path, size_t resolved_path_len)
 {
     char *cpath;
-    char cresolved_path[MAXPATHLEN];
     wchar_t *wresolved_path;
     char *res;
     size_t r;
@@ -2127,12 +2126,14 @@ _Py_wrealpath(const wchar_t *path,
         errno = EINVAL;
         return NULL;
     }
-    res = realpath(cpath, cresolved_path);
+    res = realpath(cpath, NULL);
     PyMem_RawFree(cpath);
     if (res == NULL)
         return NULL;
 
-    wresolved_path = Py_DecodeLocale(cresolved_path, &r);
+    wresolved_path = Py_DecodeLocale(res, &r);
+    free(res);
+
     if (wresolved_path == NULL) {
         errno = EINVAL;
         return NULL;