Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugs in scanstring_str() and scanstring_unicode() of _json module #47572

Closed
vstinner opened this issue Jul 8, 2008 · 8 comments
Closed

bugs in scanstring_str() and scanstring_unicode() of _json module #47572

vstinner opened this issue Jul 8, 2008 · 8 comments
Assignees
@birkenfeld
Labels
stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@vstinner
Copy link
Member

vstinner commented Jul 8, 2008

BPO 3322
Nosy @birkenfeld, @etrepum, @vstinner
Files
  • _json.patch: A patch to see the problem and maybe fix the crash
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = 'https://github.com/birkenfeld'
closed_at = <Date 2008-07-20.07:26:12.338>
created_at = <Date 2008-07-08.22:58:09.475>
labels = ['library', 'type-crash']
title = 'bugs in scanstring_str() and scanstring_unicode() of _json module'
updated_at = <Date 2008-07-20.07:26:12.300>
user = 'https://github.com/vstinner'

    bugs.python.org fields:

    activity = <Date 2008-07-20.07:26:12.300>
actor = 'georg.brandl'
assignee = 'georg.brandl'
closed = True
closed_date = <Date 2008-07-20.07:26:12.338>
closer = 'georg.brandl'
components = ['Library (Lib)']
creation = <Date 2008-07-08.22:58:09.475>
creator = 'vstinner'
dependencies = []
files = ['10947']
hgrepos = []
issue_num = 3322
keywords = ['patch']
message_count = 8.0
messages = ['69447', '70014', '70019', '70025', '70057', '70058', '70059', '70063']
nosy_count = 3.0
nosy_names = ['georg.brandl', 'bob.ippolito', 'vstinner']
pr_nums = []
priority = 'normal'
resolution = 'fixed'
stage = None
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue3322'
versions = ['Python 2.6']
    @vstinner
    Copy link
    Member Author

    vstinner commented Jul 8, 2008 

    scanstring_str() and scanstring_unicode() functions don't end value 
whereas it can be outside input string range. A check like this is 
needed:
    if (end < 0 || len <= end) {
        PyErr_SetString(PyExc_ValueError, "xxx");
        return NULL;
    }

    next is set to begin but few lines later (before first use of next),
    it's set to end: for (next = end; ...).

    In error message, eg. "Invalid control character at (...)", begin is
    used as character position but I think that the right position is in
    the variable "end" (or maybe "next"?).

    I'm unable to fix these functions because I don't understand the code.

    @vstinner vstinner added stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump labels Jul 8, 2008
    @vstinner
    Copy link
    Member Author

    To reproduce the crash, try very big negative integer as second
    argument. Example:

    >>> _json.scanstring("test", -23492394)
Erreur de segmentation (core dumped)

>>> _json.scanstring(u"test", -1239239)
Erreur de segmentation (core dumped)

    @birkenfeld
    Copy link
    Member

    Bob, do you know how to fix this?

    @vstinner
    Copy link
    Member Author

    I wrote that I'm unable to fix the bug correctly, but I wrote a patch
    to avoid the crash:

    • replace begin by end in error messages: is it correct?
    • use "end < 0 || len <= end" test to check scanstring() second
      argument => raise a ValueError if end value is invalid

    @etrepum
    Copy link
    Mannequin

    etrepum mannequin commented Jul 19, 2008

    Am I to understand that the bug here is that the C extension doesn't
    validate input properly if you call into it directly? Without a test I'm
    not entirely sure exactly how you could possibly get negative values
    into those functions using the json module as-is.

    @etrepum
    Copy link
    Mannequin

    etrepum mannequin commented Jul 19, 2008

    I've audited the patch, while it does fix the input range it looks like
    it regresses other things (at least the error messages). "begin" was
    intentionally used. The patch is not suitable for use, I'll create a
    minimal patch that just fixes input validation.

    @etrepum
    Copy link
    Mannequin

    etrepum mannequin commented Jul 19, 2008

    I just committed a fix to trunk in r65147, needs port to py3k?

    @etrepum etrepum mannequin assigned birkenfeld and unassigned etrepum Jul 19, 2008
    @birkenfeld
    Copy link
    Member

    Was merged in r65148.

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees

    @birkenfeld birkenfeld

    Labels
    stdlib Python modules in the Lib dir type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @birkenfeld @vstinner