classification
Title: Buffer overrun in binascii
Type: behavior Stage: resolved
Components: Extension Modules Versions: Python 3.7, Python 3.6, Python 3.5, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: python-dev, serhiy.storchaka, vstinner
Priority: normal Keywords: patch

Created on 2016-07-23 16:31 by serhiy.storchaka, last changed 2017-03-31 16:36 by dstufft. This issue is now closed.

Files
File name Uploaded Description Edit
binascii_qp_overrun.patch serhiy.storchaka, 2016-08-14 18:31 review
Pull Requests
URL Status Linked Edit
PR 552 closed dstufft, 2017-03-31 16:36
Messages (3)
msg271092 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2016-07-23 16:31
There is reading one byte past the end of the input buffer in binascii.b2a_qp(). Following example shows the behavior difference depending on the value of this byte:

>>> binascii.b2a_qp(memoryview(b'..')[:-1])
b'.'
>>> binascii.b2a_qp(bytes(memoryview(b'..')[:-1]))
b'=2E'

In rare cases (memoryview of mmap object or custom buffer) this can cause a segfault.

Maybe there are similar issues with other binascii functions (not checked).
msg272685 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2016-08-14 18:31
Here is a patch that fixes buffer overrun in binascii.b2a_qp() and binascii.a2b_qp() and adds additional tests.
msg276446 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2016-09-14 13:39
New changeset 423ad3b14ee1 by Serhiy Storchaka in branch '3.5':
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
https://hg.python.org/cpython/rev/423ad3b14ee1

New changeset fbc579ec36ab by Serhiy Storchaka in branch '2.7':
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
https://hg.python.org/cpython/rev/fbc579ec36ab

New changeset d53e1a5576e6 by Serhiy Storchaka in branch '3.6':
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
https://hg.python.org/cpython/rev/d53e1a5576e6

New changeset 56294e03ad89 by Serhiy Storchaka in branch 'default':
Issue #27599: Fixed buffer overrun in binascii.b2a_qp() and binascii.a2b_qp().
https://hg.python.org/cpython/rev/56294e03ad89
History
Date User Action Args
2017-03-31 16:36:11dstufftsetpull_requests: + pull_request869
2016-09-14 13:40:09serhiy.storchakasetstatus: open -> closed
stage: patch review -> resolved
resolution: fixed
versions: + Python 3.7
2016-09-14 13:39:21python-devsetnosy: + python-dev
messages: + msg276446
2016-08-17 12:28:11vstinnersetnosy: + vstinner
2016-08-14 18:31:25serhiy.storchakasetfiles: + binascii_qp_overrun.patch
keywords: + patch
messages: + msg272685

stage: needs patch -> patch review
2016-07-23 16:31:32serhiy.storchakacreate