[reportlab-users] Buffer overrun with large parameters

Robin Becker robin at reportlab.com
Mon Apr 25 09:55:44 EDT 2005

amaury.forgeotdarc at ubitrade.com wrote:
> - when rl_accel is present, the script crashes with an Access Violation
> error.
> The cause is in _rl_accel.c, where the function _fp_one tries to write
> 136 digits in a static buffer which is only 30 characters long...
> - when rl_accel is not present, the generated PDF is invalid :
> "bad token 1.2e+136", but this one doesn't bother me.
> Since every number written in the PDF file uses the _fp_one function,
> I propose to protect it with a check like this one:
>       if(fabs(d)>=1.0e20){
>             PyErr_SetString(ErrorObject, "numeric value too large");
>             return NULL;
>             }
> 1e20 seems enough for any application...
..... that seems like a bug to me :(

I guess we should protect against such large numbers. I'll put in a fix today. 
Probaby we should be using those new fangled buffer overrun protected sprintf 
funcs, but I suppose they're not standardized yet. M$ calls it _snprintf, but I 
bet gcc and others differ.

Since we need to support 16.16 binary fp, 1e20 seems large enough.
Robin Becker

More information about the reportlab-users mailing list