This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: python crash in pyexpat's XmlInitUnknownEncodingNS
Type: Stage:
Components: Extension Modules Versions: Python 2.3
process
Status: closed Resolution: works for me
Dependencies: Superseder:
Assigned To: fdrake Nosy List: doko, fdrake, georg.brandl, loewis, nnorwitz
Priority: high Keywords:

Created on 2004-01-24 07:15 by doko, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Files
File name Uploaded Description Edit
testcase.tgz doko, 2004-01-24 07:15 testcase
exp.diff loewis, 2004-04-20 19:44
Messages (4)
msg19801 - (view) Author: Matthias Klose (doko) * (Python committer) Date: 2004-01-24 07:15
[forwarded from http://bugs.debian.org/229281]

seen with 2.3.3, works with 2.2.3 and 2.1.3 (after
fixing the 2.1 incompatibilities). The pyexpat code
used is the one direct from the distribution, no
external library.

The attached testcase demonstrates a bug in,
apparently, /usr/lib/python2.3/lib-dynload/pyexpat.so.
Here's the bug in gdb: 
 
Program received signal SIGSEGV, Segmentation fault. 
[Switching to Thread 16384 (LWP 28350)] 
0x40566800 in XmlInitUnknownEncodingNS () 
   from /usr/lib/python2.3/lib-dynload/pyexpat.so 
 
To try it youself, run "make" in the testcase
directory. I apoligise for the size of this testcase; I
would have whitteled it down to something simpler, but
I am not a python programmer. I also apoligise if the
bug is really in some library that python uses; I only
went back as far as pyexpat.so. 
 
Some developers on IRC feel this may be exploitable.
Talk with Scott James Remnant <scott@netsplit.com>, who
also has some idea of the encoding problems in the rss
file that are causing the crash. 
msg19802 - (view) Author: Martin v. Löwis (loewis) * (Python committer) Date: 2004-04-20 19:44
Logged In: YES 
user_id=21627

The parser crashes because it invokes GetBuffer inside
Parser, when Python is providing the next chunk of input,
which reallocs the buffer to a different location. However,
eventPtr is not updated inside GetBuffer (and neither is
positionPtr). As a result, the next access to eventPtr (in
XML_GetCurrentLineNumber, invoked from set_error), will
cause a segfault.

It is not clear to me why these pointers are not adjusted
when the buffer is reallocated. However, a consistent fix
appears to be to update the eventPtr close to the place
where positionPtr is initialized, which is done in the
attached patch exp.diff, which fixes this test case.

Fred, can you please review this patch?
msg19803 - (view) Author: Neal Norwitz (nnorwitz) * (Python committer) Date: 2005-09-30 05:14
Logged In: YES 
user_id=33168

Martin, this seems to work in Python 2.3.4, 2.4.2 and CVS. 
Has it been fixed and can it be closed?
msg19804 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2006-07-29 10:51
Logged In: YES 
user_id=849994

Doesn't occur in 2.3.5, 2.4 head and SVN head. The patch
doesn't apply to expat 2.0 anymore. => Closing.
History
Date User Action Args
2022-04-11 14:56:02adminsetgithub: 39860
2004-01-24 07:15:11dokocreate