Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Do not read memory past the specified limit in PyUnicode_FromFormat() and PyBytes_FromFormat() #79733

Closed
serhiy-storchaka opened this issue Dec 21, 2018 · 4 comments
Closed

Do not read memory past the specified limit in PyUnicode_FromFormat() and PyBytes_FromFormat() #79733

serhiy-storchaka opened this issue Dec 21, 2018 · 4 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump

Comments

@serhiy-storchaka
Copy link
Member

BPO 35552
Nosy @serhiy-storchaka, @miss-islington
PRs
  • bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). #11276
  • [3.7] bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276) #11533
  • [3.7] bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276) #11533
  • [2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) #11534
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2019-01-12.09:21:30.979>
created_at = <Date 2018-12-21.11:15:59.323>
labels = ['interpreter-core', '3.7', '3.8', 'type-crash']
title = 'Do not read memory past the specified limit in PyUnicode_FromFormat() and PyBytes_FromFormat()'
updated_at = <Date 2019-01-12.09:21:30.979>
user = 'https://github.com/serhiy-storchaka'

    bugs.python.org fields:

    activity = <Date 2019-01-12.09:21:30.979>
actor = 'serhiy.storchaka'
assignee = 'none'
closed = True
closed_date = <Date 2019-01-12.09:21:30.979>
closer = 'serhiy.storchaka'
components = ['Interpreter Core']
creation = <Date 2018-12-21.11:15:59.323>
creator = 'serhiy.storchaka'
dependencies = []
files = []
hgrepos = []
issue_num = 35552
keywords = ['patch']
message_count = 4.0
messages = ['332289', '333523', '333524', '333525']
nosy_count = 2.0
nosy_names = ['serhiy.storchaka', 'miss-islington']
pr_nums = ['11276', '11533', '11533', '11534']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'crash'
url = 'https://bugs.python.org/issue35552'
versions = ['Python 2.7', 'Python 3.7', 'Python 3.8']
    @serhiy-storchaka
    Copy link
    Member Author

    Format characters %s and %V in PyUnicode_FromFormat() and %s PyBytes_FromFormat() allow to limit the number of bytes read from the argument. For example PyUnicode_FromFormat("must be string, not '%.50s'", obj->ob_type->tp_name) will use not more than 50 bytes from obj->ob_type->tp_name for creating a message.

    But while the number of bytes used for creating the resulting Unicode or bytes object is limited, the current implementation can read past this limit. It uses strlen() for searching the first null byte, and bounds the result to the specified limit. If the input is not null terminated, this can cause a crash.

    The proposed PR makes the code never reading past the specified limit.

    @serhiy-storchaka serhiy-storchaka added 3.7 (EOL) end of life 3.8 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump labels Dec 21, 2018
    @serhiy-storchaka
    Copy link
    Member Author

    New changeset d586ccb by Serhiy Storchaka in branch 'master':
    bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
    d586ccb

    @miss-islington
    Copy link
    Contributor

    New changeset cbc7c2c by Miss Islington (bot) in branch '3.7':
    bpo-35552: Fix reading past the end in PyUnicode_FromFormat() and PyBytes_FromFormat(). (GH-11276)
    cbc7c2c

    @serhiy-storchaka
    Copy link
    Member Author

    New changeset 555755e by Serhiy Storchaka in branch '2.7':
    [2.7] bpo-35552: Fix reading past the end in PyString_FromFormat(). (GH-11276) (GH-11534)
    555755e

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes interpreter-core (Objects, Python, Grammar, and Parser dirs) type-crash A hard crash of the interpreter, possibly with a core dump
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    2 participants
    @serhiy-storchaka @miss-islington