classification
Title: Multiple integer overflows in imgfile extension module lead to buffer overflow
Type: security Stage:
Components: Extension Modules Versions: Python 2.5
process
Status: closed Resolution: out of date
Dependencies: Superseder:
Assigned To: Nosy List: georg.brandl, jnferguson
Priority: low Keywords:

Created on 2008-04-08 16:56 by jnferguson, last changed 2010-08-21 23:09 by georg.brandl. This issue is now closed.

Messages (3)
msg65194 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 16:56
The imgfile module contains multiple integer overflows, this module is
only used on SGI boxes and is likely mostly unused and thus is fairly
low priority imho-- no repros, no poc, no sgi box :/

I'm only going to post one to give you the idea, there's no need for me
to (further) spam the bug database by filing a bug for each one of
these, they're all pretty much the same.

Here the variables xsize, ysize and zsize are all externally derived.
While xsize and zsize are sanity checked, ysize is not. This potentially
results in an integer overflow/misallocation at line 133 and writes to
invalid memory in the calls to getrow()

 85 static PyObject *
 86 imgfile_read(PyObject *self, PyObject *args)
 87 {
 88         char *fname;
 89         PyObject *rv;
 90         int xsize, ysize, zsize;
 91         char *cdatap;
 92         long *idatap;
 93         static short rs[8192], gs[8192], bs[8192];
 94         int x, y;
 95         IMAGE *image;
 96         int yfirst, ylast, ystep;
 97
 98         if ( !PyArg_ParseTuple(args, "s:read", &fname) )
 99                 return NULL;
100    
101         if ( (image = imgfile_open(fname)) == NULL )
102                 return NULL;
[...]
116         xsize = image->xsize;
117         ysize = image->ysize;
118         zsize = image->zsize;
119         if ( zsize != 1 && zsize != 3) {
120                 iclose(image);
121                 PyErr_SetString(ImgfileError,
122                                 "Can only handle 1 or 3 byte pixels");
123                 return NULL;
124         }
125         if ( xsize > 8192 ) {
126                 iclose(image);
127                 PyErr_SetString(ImgfileError,
128                                 "Can't handle image with > 8192
columns");
129                 return NULL;
130         }
131 
132         if ( zsize == 3 ) zsize = 4;
133         rv = PyString_FromStringAndSize((char *)NULL,
xsize*ysize*zsize);
134         if ( rv == NULL ) {
138         cdatap = PyString_AsString(rv);
139         idatap = (long *)cdatap;
[...]
150         for ( y=yfirst; y != ylast && !error_called; y += ystep ) {
151                 if ( zsize == 1 ) {
152                         getrow(image, rs, y, 0);
153                         for(x=0; x<xsize; x++ )
154                                 *cdatap++ = rs[x];
155                 } else {
156                         getrow(image, rs, y, 0);
157                         getrow(image, gs, y, 1);
158                         getrow(image, bs, y, 2);
159                         for(x=0; x<xsize; x++ )
160                                 *idatap++ = (rs[x] & 0xff)  |
161                                         ((gs[x] & 0xff)<<8) |
162                                         ((bs[x] & 0xff)<<16);
163                 }
164         }
msg65196 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 17:01
I'm not going to file a different bug for rgbimgmodule.c, it has the
same types of issues.

Sorry, I don't mean to drop a ton of bugs, I'm prepping up to do a talk
on attacking the metadata in scripting languages (i.e. the python call
stack instead of the processors) and I need to have these public/patched
before I talk about them. I've got a bunch more bugs, I'll file them
later when some of this stuff is caught up with.
msg114601 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2010-08-21 23:09
I don't think anyone cares about these modules anymore.
History
Date User Action Args
2010-08-21 23:09:18georg.brandlsetstatus: open -> closed

nosy: + georg.brandl
messages: + msg114601

resolution: out of date
2008-05-25 09:07:56gregory.p.smithsetpriority: low
2008-04-08 17:01:24jnfergusonsetmessages: + msg65196
2008-04-08 16:56:33jnfergusoncreate