From 8e67a3f09cb4be58ad69f36a20b5de145a1d79f4 Mon Sep 17 00:00:00 2001
From: Andy Clayton <q3aiml@gmail.com>
Date: Tue, 24 Mar 2020 23:32:52 -0500
Subject: fix python3 command (argv) wchar_t conversion

Ensure strings passed to Py_Main have a terminating null character by
including the extra character allocated for terminating null in the size
passed to mbstowcs.

Fix argv index so all arguments are not copied to argv[0]. Fixes
potential buffer overflow due to passing argv[0] as destination with
argv[i + 1] src and size to mbstowcs.
---
 src/pyinterp.cc | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/pyinterp.cc')

diff --git a/src/pyinterp.cc b/src/pyinterp.cc
index 9ae37687..aeafd2bd 100644
--- a/src/pyinterp.cc
+++ b/src/pyinterp.cc
@@ -331,13 +331,15 @@ value_t python_interpreter_t::python_command(call_scope_t& args)
 #if PY_MAJOR_VERSION >= 3
   wchar_t ** argv = new wchar_t *[args.size() + 1];
 
-  argv[0] = new wchar_t[std::strlen(argv0) + 1];
-  mbstowcs(argv[0], argv0, std::strlen(argv0));
+  std::size_t len = std::strlen(argv0) + 1;
+  argv[0] = new wchar_t[len];
+  mbstowcs(argv[0], argv0, len);
 
   for (std::size_t i = 0; i < args.size(); i++) {
     string arg = args.get<string>(i);
-    argv[i + 1] = new wchar_t[arg.length() + 1];
-    mbstowcs(argv[0], arg.c_str(), std::strlen(arg.c_str()));
+    std::size_t len = arg.length() + 1;
+    argv[i + 1] = new wchar_t[len];
+    mbstowcs(argv[i + 1], arg.c_str(), len);
   }
 #else
   char ** argv = new char *[args.size() + 1];
-- 
cgit v1.2.3