Fix various potential buffer overrun problems.

diff --git a/Python/import.c b/Python/import.c
index f65504193349cceb2561d6982c4013daeeb9a00a..2f782aabbbb3a65cec6e02c7be52b9c3497c1ce1 100644 (file)
--- a/Python/import.c
+++ b/Python/import.c
@@ -167,8 +167,12 @@ extern char *getprogramname();
 
 #endif /* DYNAMIC_LINK */
 
-/* Magic word to reject .pyc files generated by other Python versions */
+/* Max length of module suffix searched for -- accommodates "module.so" */
+#ifndef MAXSUFFIXSIZE
+#define MAXSUFFIXSIZE 10
+#endif
 
+/* Magic word to reject .pyc files generated by other Python versions */
 #define MAGIC 0x999903L /* Increment by one for each incompatible change */
 
 static object *modules;
@@ -355,7 +359,7 @@ load_dynamic_module(name, namebuf, m, m_ret)
                         char buf[256];
                         if (verbose)
                                 perror(namebuf);
-                        sprintf(buf,"Failed to load %s", namebuf);
+                        sprintf(buf, "Failed to load %.200s", namebuf);
                         err_setstr(ImportError, buf);
                         return NULL;
                 }
@@ -396,7 +400,7 @@ get_module(m, name, m_ret)
        char *name;
        object **m_ret;
 {
-       int err, npath, i, len;
+       int err, npath, i, len, namelen;
        long magic;
        long mtime, pyc_mtime;
        char namebuf[MAXPATHLEN+1];
@@ -413,16 +417,21 @@ get_module(m, name, m_ret)
                return NULL;
        }
        npath = getlistsize(path);
+       namelen = strlen(name);
        for (i = 0; i < npath; i++) {
                v = getlistitem(path, i);
                if (!is_stringobject(v))
                        continue;
-               strcpy(namebuf, getstringvalue(v));
                len = getstringsize(v);
+               if (len + 1 + namelen + MAXSUFFIXSIZE >= MAXPATHLEN)
+                       continue; /* Too long */
+               strcpy(namebuf, getstringvalue(v));
+               if (strlen(namebuf) != len)
+                       continue; /* v contains '\0' */
                if (len > 0 && namebuf[len-1] != SEP)
                        namebuf[len++] = SEP;
                strcpy(namebuf+len, name);
-               len += strlen(name);
+               len += namelen;
                for (fdp = filetab; fdp->suffix != NULL; fdp++) {
                        strcpy(namebuf+len, fdp->suffix);
                        if (verbose > 1)
@@ -435,7 +444,7 @@ get_module(m, name, m_ret)
                        break;
        }
        if (fp == NULL) {
-               sprintf(namebuf, "No module named %s", name);
+               sprintf(namebuf, "No module named %.200s", name);
                err_setstr(ImportError, namebuf);
                return NULL;
        }
@@ -761,9 +770,9 @@ void aix_loaderror(char *namebuf)
        };
 
 #define LOAD_ERRTAB_LEN        (sizeof(load_errtab)/sizeof(load_errtab[0]))
-#define ERRBUF_APPEND(s)       strncat(errbuf, s, sizeof(errbuf))
+#define ERRBUF_APPEND(s) strncat(errbuf, s, sizeof(errbuf)-strlen(errbuf)-1)
 
-       sprintf(errbuf, " from module %s ", namebuf);
+       sprintf(errbuf, " from module %.200s ", namebuf);
 
        if (!loadquery(1, &message[0], sizeof(message))) 
                ERRBUF_APPEND(strerror(errno));
@@ -777,7 +786,7 @@ void aix_loaderror(char *namebuf)
                ERRBUF_APPEND(message[i]);
                ERRBUF_APPEND("\n");
        }
-       errbuf[strlen(errbuf)-1] = '\0' ;       /* trim off last newline */
+       errbuf[strlen(errbuf)-1] = '\0';        /* trim off last newline */
        err_setstr(ImportError, errbuf); 
        return; 
 }