classification
Title: Out-of-bounds buffer access in match_getslice_by_index
Type: security Stage: resolved
Components: Regular Expressions Versions: Python 3.7, Python 3.6, Python 3.5
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: serhiy.storchaka Nosy List: WGH, ezio.melotti, mrabarnett, python-dev, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2017-02-04 16:23 by WGH, last changed 2017-03-31 16:36 by dstufft. This issue is now closed.

Files
File name Uploaded Description Edit
match_getslice_by_index.patch WGH, 2017-02-04 16:31 review
Pull Requests
URL Status Linked Edit
PR 552 closed dstufft, 2017-03-31 16:36
Messages (8)
msg286974 - (view) Author: WGH (WGH) Date: 2017-02-04 16:23
In [1]: import re

In [2]: b = bytearray(b'A'*100)

In [3]: m = re.search(b'A*', b)

In [4]: m.group()
Out[4]: b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'

In [5]: del b[:]

In [6]: m.group()
Out[6]: b'\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x9a\xc4\xb2i\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'

I will attach the patch shortly.
msg286984 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-02-04 19:52
Thank you for your patch WGH. It is correct and fixes out-of-bounds buffer access. But I don't know what would be the better solution: silently adjust indices or raise RuntimeError?
msg286985 - (view) Author: WGH (WGH) Date: 2017-02-04 20:06
Python 2.7 (CPython and PyPy) and also PyPy's Python 3 adjust the indices, like my patch does, if that matters.
msg286986 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2017-02-04 20:25
Ah, this is good reason. The patch LGTM.
msg286989 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-02-04 20:58
New changeset 4e65d6c20dae by Serhiy Storchaka in branch '3.5':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://hg.python.org/cpython/rev/4e65d6c20dae

New changeset 393969776989 by Serhiy Storchaka in branch '3.6':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://hg.python.org/cpython/rev/393969776989

New changeset 476b0fa34db4 by Serhiy Storchaka in branch 'default':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://hg.python.org/cpython/rev/476b0fa34db4
msg286991 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-02-04 21:00
New changeset 83d13325dec591676eeafb12a4caa01a67ef2f7e by Serhiy Storchaka in branch 'master':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/83d13325dec591676eeafb12a4caa01a67ef2f7e

New changeset 929374345586086c9860a3937b275511dcc8185a by Serhiy Storchaka in branch 'master':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/929374345586086c9860a3937b275511dcc8185a

New changeset e0a10190f88e474a159da92b7b5be472e0d7f325 by Serhiy Storchaka in branch 'master':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/e0a10190f88e474a159da92b7b5be472e0d7f325
msg286992 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-02-04 21:00
New changeset 83d13325dec591676eeafb12a4caa01a67ef2f7e by Serhiy Storchaka in branch '3.6':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/83d13325dec591676eeafb12a4caa01a67ef2f7e

New changeset 929374345586086c9860a3937b275511dcc8185a by Serhiy Storchaka in branch '3.6':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/929374345586086c9860a3937b275511dcc8185a
msg286993 - (view) Author: Roundup Robot (python-dev) (Python triager) Date: 2017-02-04 21:00
New changeset 83d13325dec591676eeafb12a4caa01a67ef2f7e by Serhiy Storchaka in branch '3.5':
Issue #29444: Fixed out-of-bounds buffer access in the group() method of
https://github.com/python/cpython/commit/83d13325dec591676eeafb12a4caa01a67ef2f7e
History
Date User Action Args
2017-03-31 16:36:17dstufftsetpull_requests: + pull_request917
2017-02-04 21:00:33python-devsetmessages: + msg286993
2017-02-04 21:00:31python-devsetmessages: + msg286992
2017-02-04 21:00:28python-devsetmessages: + msg286991
2017-02-04 20:59:58serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: commit review -> resolved
2017-02-04 20:58:07python-devsetnosy: + python-dev
messages: + msg286989
2017-02-04 20:25:17serhiy.storchakasetassignee: serhiy.storchaka
stage: commit review
messages: + msg286986
versions: - Python 2.7
2017-02-04 20:06:47WGHsetmessages: + msg286985
2017-02-04 19:52:19serhiy.storchakasetnosy: + serhiy.storchaka

messages: + msg286984
versions: + Python 2.7, - Python 3.3, Python 3.4
2017-02-04 16:31:04WGHsetfiles: + match_getslice_by_index.patch
keywords: + patch
2017-02-04 16:23:03WGHcreate