New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unsigned Integer Overflow in sre_lib.h #68754
Comments
I found an Unsigned Integer Overflow in sre_lib.h. Tested on En Windows 7 x86 + Python 3.4.3 / Python 3.5.0b2 Crash: code: stack: source code: LOCAL(Py_ssize_t)
SRE(search)(SRE_STATE* state, SRE_CODE* pattern)
{
SRE_CHAR* ptr = (SRE_CHAR *)state->start;
SRE_CHAR* end = (SRE_CHAR *)state->end;
Py_ssize_t status = 0;
Py_ssize_t prefix_len = 0;
Py_ssize_t prefix_skip = 0;
SRE_CODE* prefix = NULL;
SRE_CODE* charset = NULL;
SRE_CODE* overlap = NULL;
int flags = 0;
if (pattern[0] == SRE_OP_INFO) {
/* optimization info block */
/* <INFO> <1=skip> <2=flags> <3=min> <4=max> <5=prefix info> */ flags = pattern[2]; if (pattern[3] > 1) {
/* adjust end point (but make sure we leave at least one
character in there, so literal search will work) */
end -= pattern[3] - 1;
if (end <= ptr)
end = ptr;
}
...
}
...
} else
/* general case */
while (ptr <= end) {
TRACE(("|%p|%p|SEARCH\n", pattern, ptr));
state->start = state->ptr = ptr++;
status = SRE(match)(state, pattern, 0);
if (status != 0)
break;
}
}
SRE(count)(SRE_STATE* state, SRE_CODE* pattern, Py_ssize_t maxcount)
{
SRE_CODE chr;
SRE_CHAR c;
SRE_CHAR* ptr = (SRE_CHAR *)state->ptr;
SRE_CHAR* end = (SRE_CHAR *)state->end;
Py_ssize_t i;
/* adjust end */
if (maxcount < end - ptr && maxcount != SRE_MAXREPEAT)
end = ptr + maxcount;
...
#if SIZEOF_SRE_CHAR < 4
if ((SRE_CODE) c != chr)
; /* literal can't match: doesn't fit in char width */
else
#endif
while (ptr < end && *ptr == c) // crash here, ptr points to an unreadable memory.
ptr++;
break;
} poc code: import re pattern = "([\\2]{1073741952})" ---cut--- 1.) In SRE(search), pattern[3] is equal to 1073741952 (0x400000080). What's more, the program doesn't limit the max size, which causes the end pointer is pointed to an invalid and large address( bigger than ptr). |
Does the patch for bpo-18684 fix this issue? |
I didn't test that path, I just found this bug in python3.4.3 by fuzzing re module, and tested Python 3.5.0b2 on windows 7 x86, It has the same problem. |
I have just tested python 2.7.10 on Windows 7 x86 with the poc code, it will also result in python crash. |
Not having Windows I can't reproduce the crash. Someone should test if the patch for bpo-18684 fixes this issue and doesn't introduce other regressions. |
Fixed by the patch on bpo-18684, see also my comments there. |
I tested this path, and It really fixed this issue. But I'm wondering Python 2.7.10 was released at May 23, 2015, and this path was created at March 22,2015. So does it mean, Python 2.7.10/3.5.0b2 was compiled and released without applying this path? |
Yes, this patch was not applied because it had no visible effect on Linux. Now, with your report, there is a case on Windows. |
Thank you. I got it. 2015-07-06 18:53 GMT+08:00 Serhiy Storchaka <report@bugs.python.org>:
|
Thank you for your report. Without your example the patch would postponed indefinitely. |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: