classification
Title: Do not read memory past the specified limit in PyUnicode_FromFormat() and PyBytes_FromFormat()
Type: crash Stage: resolved
Components: Interpreter Core Versions: Python 3.8, Python 3.7, Python 2.7
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: Nosy List: miss-islington, serhiy.storchaka
Priority: normal Keywords: patch

Created on 2018-12-21 11:15 by serhiy.storchaka, last changed 2019-01-12 09:21 by serhiy.storchaka. This issue is now closed.

Pull Requests
URL Status Linked Edit
PR 11276 merged serhiy.storchaka, 2018-12-21 11:35
PR 11533 merged miss-islington, 2019-01-12 08:30
PR 11533 merged miss-islington, 2019-01-12 08:30
PR 11534 merged serhiy.storchaka, 2019-01-12 08:49
Messages (4)
msg332289 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2018-12-21 11:15
Format characters %s and %V in PyUnicode_FromFormat() and %s PyBytes_FromFormat() allow to limit the number of bytes read from the argument. For example PyUnicode_FromFormat("must be string, not '%.50s'", obj->ob_type->tp_name) will use not more than 50 bytes from obj->ob_type->tp_name for creating a message.

But while the number of bytes used for creating the resulting Unicode or bytes object is limited, the current implementation can read past this limit. It uses strlen() for searching the first null byte, and bounds the result to the specified limit. If the input is not null terminated, this can cause a crash.

The proposed PR makes the code never reading past the specified limit.
msg333523 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-01-12 08:30
New changeset d586ccb04f79863c819b212ec5b9d873964078e4 by Serhiy Storchaka in branch 'master':
bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
https://github.com/python/cpython/commit/d586ccb04f79863c819b212ec5b9d873964078e4
msg333524 - (view) Author: miss-islington (miss-islington) Date: 2019-01-12 08:52
New changeset cbc7c2c791185ad44b4b3ede72309df5f252f4cb by Miss Islington (bot) in branch '3.7':
bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
https://github.com/python/cpython/commit/cbc7c2c791185ad44b4b3ede72309df5f252f4cb
msg333525 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * (Python committer) Date: 2019-01-12 09:21
New changeset 555755ecff2669f4e020147d7d3a0aec71abb679 by Serhiy Storchaka in branch '2.7':
[2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) (GH-11534)
https://github.com/python/cpython/commit/555755ecff2669f4e020147d7d3a0aec71abb679
History
Date User Action Args
2019-01-12 09:21:30serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved
2019-01-12 09:21:00serhiy.storchakasetmessages: + msg333525
2019-01-12 08:52:58miss-islingtonsetnosy: + miss-islington
messages: + msg333524
2019-01-12 08:49:14serhiy.storchakasetpull_requests: + pull_request11133
2019-01-12 08:30:56miss-islingtonsetpull_requests: + pull_request11132
2019-01-12 08:30:53miss-islingtonsetpull_requests: + pull_request11131
2019-01-12 08:30:37serhiy.storchakasetmessages: + msg333523
2018-12-21 11:35:00serhiy.storchakasetkeywords: + patch
stage: patch review
pull_requests: + pull_request10510
2018-12-21 11:15:59serhiy.storchakacreate