Issue2589
Created on 2008-04-08 15:59 by jnferguson, last changed 2008-06-02 00:08 by gregory.p.smith.
|
|
msg65175 - (view) |
Author: Justin Ferguson (jnferguson) |
Date: 2008-04-08 15:59 |
|
On architectures that do not have a vsnprintf() in their standard
library Python attempts to emulate it. When doing so, the implementation
ambitiously allocates more memory than requested without verifying the
sanity of the summed value. As a result it becomes possible (although
unlikely) for an integer overflow to occur misallocating memory and
causing a buffer overflow.
53 int
54 PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
55 {
56 int len; /* # bytes written, excluding \0 */
[...]
60 assert(str != NULL);
61 assert(size > 0);
62 assert(format != NULL);
63
[...]
67 /* Emulate it. */
68 buffer = PyMem_MALLOC(size + 512);
69 if (buffer == NULL) {
70 len = -666;
71 goto Done;
72 }
73
74 len = vsprintf(buffer, format, va);
75 if (len < 0)
76 /* ignore the error */;
77
78 else if ((size_t)len >= size + 512)
79 Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
80
81 else {
82 const size_t to_copy = (size_t)len < size ?
83 (size_t)len : size - 1;
84 assert(to_copy < size);
85 memcpy(str, buffer, to_copy);
86 str[to_copy] = '\0';
87 }
88 PyMem_FREE(buffer);
89 Done:
[...]
91 str[size-1] = '\0';
92 return len;
93 }
|
|
msg67396 - (view) |
Author: Gregory P. Smith (gregory.p.smith) |
Date: 2008-05-26 21:17 |
|
Fixed in trunk r63728.
There was a problem with the code on normal architectures as well.
The input was a size_t while the output was an int. So an integer
overflow could have happened going from the vsnprintf return value to
the integer since size_t is unsigned and int isn't (also when size_t is
a larger type than an int).
I don't think that would lead to memory corruption when using the
system's vsnprintf but it could have bad results if the caller expected
str to be null terminated properly.
I will backport this to release25-maint.
|
|
msg67621 - (view) |
Author: Gregory P. Smith (gregory.p.smith) |
Date: 2008-06-02 00:08 |
|
Fixed in release25-maint r63883.
|
|
| Date |
User |
Action |
Args |
| 2008-06-02 00:08:51 | gregory.p.smith | set | status: open -> closed
resolution: fixed
messages:
+ msg67621 |
| 2008-05-26 21:17:30 | gregory.p.smith | set | priority: low -> normal
messages:
+ msg67396
title: PyOS_vsnprintf() potential integer overflow leads to memory corruption on esoteric architectures -> PyOS_vsnprintf() potential integer overflow leads to memory corruption |
| 2008-05-25 09:13:07 | gregory.p.smith | set | priority: low
assignee: gregory.p.smith
nosy:
+ gregory.p.smith |
| 2008-04-08 15:59:48 | jnferguson | create | |
|
