New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple buffer overflows in unicode processing #46872
Comments
174 static 95 #define PyMem_RESIZE(p, type, n) \ The unicode_resize() function acts essentially as a wrapper to This is specific to the Unicode objects, however I would not be |
You are probably referring to 32-bit platforms. At least on 64-bit >>> # this is to get the unicode_freelist initialized
... # the length of the string must be <= 9 to keep
... # unicode->str from being deallocated and set to
... # NULL
... bla = unicode('IOActive')
>>> del bla
>>>
>>>
>>> msg = 'A'*2147483647
>>>
>>> msg.decode('utf7')
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
MemoryError The code does check for success of the realloc(): PyMem_RESIZE(unicode->str, Py_UNICODE, length + 1);
if (!unicode->str) {
unicode->str = (Py_UNICODE *)oldstr;
PyErr_NoMemory();
return -1;
} Are you after the integer overflow and the fact that realloc() would (if |
Yes, excuse me-- this should be 32-bit specific as I believe Python will theory$ ./python -V |
Note that in r61458 Neal replaced PyMem_RESIZE with a direct call to PyMem_REALLOC thus eliminating integer overflow check even from the debug |
Justin, Where did you find the definition that you cited: 95 #define PyMem_RESIZE(p, type, n) \ ? Current Include/pymem.h does not have the assert:
) and it did not change for a while. |
The following simple change should be enough for this issue, but I would =================================================================== --- Objects/unicodeobject.c (revision 62237)
+++ Objects/unicodeobject.c (working copy)
@@ -261,8 +261,8 @@
it contains). */
oldstr = unicode->str;
- unicode->str = PyObject_REALLOC(unicode->str,
- sizeof(Py_UNICODE) * (length + 1));
+ unicode->str = SIZE_MAX/sizeof(Py_UNICODE) - 1 < length ? NULL :
+ PyObject_REALLOC(unicode->str, sizeof(Py_UNICODE) * (length +
1));
if (!unicode->str) {
unicode->str = (Py_UNICODE *)oldstr;
PyErr_NoMemory(); |
i pulled the Macros out of pymem.h in a Vanille 2.5.2? |
sorry didnt mean to change components and version-- I'm typing this from |
just fixing the modifications my phone made earlier tonight |
Additionally-- the PyMem_NEW()/PyMem_New() macro's need to be fixed: 231 static 85 #define PyMem_New(type, n) \ It looks like much of this is reachable from modules, unicode objects, |
On 32-bit platforms, it's probably best to add a size check. I don't |
Here's a patch that fixes this by making both Python's malloc and A side effect of this is that strings on 32bit platforms can no longer I do not think that is a problem. A 32-bit process by definition can any objections? |
On Sun, Apr 13, 2008 at 11:12 PM, Gregory P. Smith
This will not solve the original problem completely: multiplicative I don't object to limiting the allowed malloc/realoc size, but the |
here's an updated patch. It makes PyMem_NEW and PyMem_RESIZE macros Uses of the the macros have been cleaned up in the couple places I (IMHO PyMem_RESIZE & PyMem_Resize are a poorly designed macros. The |
diff up for review on http://codereview.appspot.com/2599 |
The patch looks good to me. |
Commited to trunk. r65182. This still needs backporting to release25-maint. (and release24-maint |
Committed revision 65261 for 2.5 |
In Python/pyarena.c: block_new(size_t size)
{
/* Allocate header and block as one unit.
ab_mem points just past header. */
block *b = (block *)malloc(sizeof(block) + size);
...
} Should a check for overflow of "size" also be performed before calling |
Neal committed changes for 2.4,2.5, so I removed those. |
Brett, open and fixed are contradictory? for what version did you reopen this? |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: