* Python/traceback.c: security fix -- check for buffer oveflow

	before concatenating sys.path item and module name

diff --git a/Python/traceback.c b/Python/traceback.c
index ea8fa7d68b60ac1556646edb1f75e9e094e05b2b..1db9c941ccebb33563ba568f6939f265497d69ac 100644 (file)
--- a/Python/traceback.c
+++ b/Python/traceback.c
@@ -178,13 +178,18 @@ tb_displayline(f, filename, lineno, name)
                path = sysget("path");
                if (path != NULL && is_listobject(path)) {
                        int npath = getlistsize(path);
+                       int taillen = strlen(tail);
                        char namebuf[MAXPATHLEN+1];
                        for (i = 0; i < npath; i++) {
                                object *v = getlistitem(path, i);
                                if (is_stringobject(v)) {
                                        int len;
-                                       strcpy(namebuf, getstringvalue(v));
                                        len = getstringsize(v);
+                                       if (len + 1 + taillen >= MAXPATHLEN)
+                                               continue; /* Too long */
+                                       strcpy(namebuf, getstringvalue(v));
+                                       if (strlen(namebuf) != len)
+                                               continue; /* v contains '\0' */
                                        if (len > 0 && namebuf[len-1] != SEP)
                                                namebuf[len++] = SEP;
                                        strcpy(namebuf+len, tail);