New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
buffer overrun in wcstombs_errorpos() #60134
Comments
Coverity has found a buffer overrun in wcstombs_errorpos() defined at Message: On a 64bit Linux system SIZE_OF_WCHAR_T is 4 and MB_LEN_MAX 16. In this constellation buf is 8 bytes long (wchar_t[2]) but outbuf has a size of 16 bytes. This causes a buffer overrun in wcstombs(outbuf, buf, sizeof(outbuf)). |
Georg, |
buf[1] contains NUL if SIZE_OF_WCHAR_T is 4. The man page says: size_t wcstombs(char *dest, const wchar_t *src, size_t n) The conversion can stop for three reasons:
To me this sounds like there cannot be an invalid write. |
I'm convinced that this is a false positive: size_t wcstombs(char *dest, const wchar_t *src, size_t n); We have:
So:
Then the man page says: "... the programmer should make sure n is greater or equal to In this case, wcstombs(NULL, buf, 0) + 1 <= 5 and we call:
|
Stefan, |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: