➜
This issue tracker has been migrated to GitHub,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2008-04-08 15:59 by jnferguson, last changed 2022-04-11 14:56 by admin. This issue is now closed.
| Messages (3) | |||
|---|---|---|---|
| msg65175 - (view) | Author: Justin Ferguson (jnferguson) | Date: 2008-04-08 15:59 | |
On architectures that do not have a vsnprintf() in their standard
library Python attempts to emulate it. When doing so, the implementation
ambitiously allocates more memory than requested without verifying the
sanity of the summed value. As a result it becomes possible (although
unlikely) for an integer overflow to occur misallocating memory and
causing a buffer overflow.
53 int
54 PyOS_vsnprintf(char *str, size_t size, const char *format, va_list va)
55 {
56 int len; /* # bytes written, excluding \0 */
[...]
60 assert(str != NULL);
61 assert(size > 0);
62 assert(format != NULL);
63
[...]
67 /* Emulate it. */
68 buffer = PyMem_MALLOC(size + 512);
69 if (buffer == NULL) {
70 len = -666;
71 goto Done;
72 }
73
74 len = vsprintf(buffer, format, va);
75 if (len < 0)
76 /* ignore the error */;
77
78 else if ((size_t)len >= size + 512)
79 Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
80
81 else {
82 const size_t to_copy = (size_t)len < size ?
83 (size_t)len : size - 1;
84 assert(to_copy < size);
85 memcpy(str, buffer, to_copy);
86 str[to_copy] = '\0';
87 }
88 PyMem_FREE(buffer);
89 Done:
[...]
91 str[size-1] = '\0';
92 return len;
93 }
|
|||
| msg67396 - (view) | Author: Gregory P. Smith (gregory.p.smith) *  |
Date: 2008-05-26 21:17 | |
Fixed in trunk r63728. There was a problem with the code on normal architectures as well. The input was a size_t while the output was an int. So an integer overflow could have happened going from the vsnprintf return value to the integer since size_t is unsigned and int isn't (also when size_t is a larger type than an int). I don't think that would lead to memory corruption when using the system's vsnprintf but it could have bad results if the caller expected str to be null terminated properly. I will backport this to release25-maint. |
|||
| msg67621 - (view) | Author: Gregory P. Smith (gregory.p.smith) * |
Date: 2008-06-02 00:08 | |
Fixed in release25-maint r63883. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022-04-11 14:56:33 | admin | set | github: 46841 |
| 2008-06-02 00:08:51 | gregory.p.smith | set | status: open -> closed resolution: fixed messages: + msg67621 |
| 2008-05-26 21:17:30 | gregory.p.smith | set | priority: low -> normal messages: + msg67396 title: PyOS_vsnprintf() potential integer overflow leads to memory corruption on esoteric architectures -> PyOS_vsnprintf() potential integer overflow leads to memory corruption |
| 2008-05-25 09:13:07 | gregory.p.smith | set | priority: low assignee: gregory.p.smith nosy: + gregory.p.smith |
| 2008-04-08 15:59:48 | jnferguson | create | |