Message 63303 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	cpalmer
Recipients	cpalmer
Date	2008-03-06.02:30:59
SpamBayes Score	0.002104982
Marked as misclassified	No
Message-id	<1204770663.59.0.831409423961.issue2242@psf.upfronthosting.co.za>
In-reply-to

Content
When decoding some data as UTF-7 with the optional "ignore" argument, Python (I am using 2.5.2) crashes. This happens only on Windows Vista (I also tried Py 2.5.1 on Windows XP, Ubuntu 7, and FreeBSD 6). To reproduce, set WinDbg as your post-mortem debugger and run this code: import os while True: a = os.urandom(16).decode("utf7", "ignore") In WinDbg, you will see that Python died in isalnum with a bad pointer dereference: (f64.13b0): Access violation - code c0000005 (!!! second chance !!!) eax=7c39a550 ebx=018e6837 ecx=0000ffe3 edx=00000003 esi=018edd66 edi=0000ffe3 eip=7c373977 esp=0021fc40 ebp=0000ffe3 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MSVCR71.dll - MSVCR71!isalnum+0x35: 7c373977 0fb70448 movzx eax,word ptr [eax+ecx2] ds:0023:7c3ba516=???? 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0021fc3c 1e0dd81e 0000ffe3 00ff1030 0000012e MSVCR71!isalnum+0x35 00000000 00000000 00000000 00000000 00000000 python25!PyUnicode_DecodeUTF7+0x10e It seems that a sanity check present in other Windows versions is missing in Vista. The simplest possible test program: #include "stdafx.h" #include <ctype.h> int _tmain(int argc, _TCHAR argv[]) { isalnum(0xff8b); return 0; } causes Visual Studio 2005 to raise a debug assertion failure warning. I guess that the assert is missing in the release build, and Python can be tricked into providing the unsafe input to isalnum.

When decoding some data as UTF-7 with the optional "ignore" argument,
Python (I am using 2.5.2) crashes. This happens only on Windows Vista (I
also tried Py 2.5.1 on Windows XP, Ubuntu 7, and FreeBSD 6). To
reproduce, set WinDbg as your post-mortem debugger and run this code:

    import os
    while True:
        a = os.urandom(16).decode("utf7", "ignore")

In WinDbg, you will see that Python died in isalnum with a bad pointer
dereference:

(f64.13b0): Access violation - code c0000005 (!!! second chance !!!)
eax=7c39a550 ebx=018e6837 ecx=0000ffe3 edx=00000003 esi=018edd66
edi=0000ffe3
eip=7c373977 esp=0021fc40 ebp=0000ffe3 iopl=0         nv up ei pl zr na
pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000            
efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols
for C:\Windows\system32\MSVCR71.dll -
MSVCR71!isalnum+0x35:
7c373977 0fb70448        movzx   eax,word ptr [eax+ecx*2]
ds:0023:7c3ba516=????
0:000> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be
wrong.
0021fc3c 1e0dd81e 0000ffe3 00ff1030 0000012e MSVCR71!isalnum+0x35
00000000 00000000 00000000 00000000 00000000
python25!PyUnicode_DecodeUTF7+0x10e

It seems that a sanity check present in other Windows versions is
missing in Vista. The simplest possible test program:

#include "stdafx.h"
#include <ctype.h>

int _tmain(int argc, _TCHAR* argv[])
{
    isalnum(0xff8b);
    return 0;
}

causes Visual Studio 2005 to raise a debug assertion failure warning. I
guess that the assert is missing in the release build, and Python can be
tricked into providing the unsafe input to isalnum.

History
Date	User	Action	Args
2008-03-06 02:31:03	cpalmer	set	spambayes_score: 0.00210498 -> 0.002104982 recipients: + cpalmer
2008-03-06 02:31:03	cpalmer	set	spambayes_score: 0.00210498 -> 0.00210498 messageid: <1204770663.59.0.831409423961.issue2242@psf.upfronthosting.co.za>
2008-03-06 02:31:02	cpalmer	link	issue2242 messages
2008-03-06 02:31:00	cpalmer	create