Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

winreg:fixupMultiSZ should check that P < Q in the inner loop #53440

Closed
stutzbach mannequin opened this issue Jul 8, 2010 · 11 comments
Closed

winreg:fixupMultiSZ should check that P < Q in the inner loop #53440

stutzbach mannequin opened this issue Jul 8, 2010 · 11 comments
Labels
3.7 (EOL) end of life 3.8 only security fixes extension-modules C modules in the Modules dir OS-windows type-bug An unexpected behavior, bug, or error

Comments

@stutzbach
Copy link
Mannequin

stutzbach mannequin commented Jul 8, 2010

BPO 9194
Nosy @tjguk, @ned-deily, @zware, @eryksun, @zooba, @ZackerySpytz, @miss-islington
PRs
  • bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() #12687
  • [3.7] bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) #12909
  • [3.6] bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) #12910
  • [2.7] bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) #12916
    		•

    Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

    Show more details

    GitHub fields:

    assignee = None
closed_at = <Date 2019-04-22.23:40:53.173>
created_at = <Date 2010-07-08.03:06:45.636>
labels = ['extension-modules', '3.8', 'type-bug', '3.7', 'OS-windows']
title = 'winreg:fixupMultiSZ should check that P < Q in the inner loop'
updated_at = <Date 2019-05-02.16:01:10.180>
user = 'https://bugs.python.org/stutzbach'

    bugs.python.org fields:

    activity = <Date 2019-05-02.16:01:10.180>
actor = 'ned.deily'
assignee = 'none'
closed = True
closed_date = <Date 2019-04-22.23:40:53.173>
closer = 'steve.dower'
components = ['Extension Modules', 'Windows']
creation = <Date 2010-07-08.03:06:45.636>
creator = 'stutzbach'
dependencies = []
files = []
hgrepos = []
issue_num = 9194
keywords = ['patch']
message_count = 11.0
messages = ['109511', '219901', '221201', '339447', '339465', '340659', '340660', '340663', '340685', '340686', '341281']
nosy_count = 8.0
nosy_names = ['tim.golden', 'ned.deily', 'stutzbach', 'zach.ware', 'eryksun', 'steve.dower', 'ZackerySpytz', 'miss-islington']
pr_nums = ['12687', '12909', '12910', '12916']
priority = 'normal'
resolution = 'fixed'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'behavior'
url = 'https://bugs.python.org/issue9194'
versions = ['Python 2.7', 'Python 3.6', 'Python 3.7', 'Python 3.8']
    @stutzbach
    Copy link
    Mannequin Author

    stutzbach mannequin commented Jul 8, 2010

    The comment before fixupMultiSZ and countString states:

    ** Note that fixupMultiSZ and countString have both had changes
    ** made to support "incorrect strings". The registry specification
    ** calls for strings to be terminated with 2 null bytes. It seems
    ** some commercial packages install strings which don't conform,
    ** causing this code to fail - however, "regedit" etc still work
    ** with these strings (ie only we don't!).

    As indicated in the comments, the two functions dutifully check the supplied length parameter and do not trust the data to be in the correct format.

    ... except for the inner loop in fixupMultiSZ, which reads:

                    for(; *P != '\0'; P++)
                        ;

    It should be the same as the inner loop of countStrings:

                for (; P < Q && *P != '\0'; P++)
                    ;

    @ezio-melotti ezio-melotti added extension-modules C modules in the Modules dir OS-windows type-bug An unexpected behavior, bug, or error labels Jul 8, 2010
    @BreamoreBoy
    Copy link
    Mannequin

    BreamoreBoy mannequin commented Jun 6, 2014

    @tim is this something that you can comment on?

    @BreamoreBoy
    Copy link
    Mannequin

    BreamoreBoy mannequin commented Jun 21, 2014

    @Steve/Zach FYI.

    @ZackerySpytz
    Copy link
    Mannequin

    ZackerySpytz mannequin commented Apr 4, 2019

    I've created a PR for this issue.

    @ZackerySpytz ZackerySpytz mannequin added 3.7 (EOL) end of life 3.8 only security fixes labels Apr 4, 2019
    @eryksun
    Copy link
    Contributor

    eryksun commented Apr 4, 2019

    There's still a potential problem when Reg2Py calls wcslen(str[index]). This could be addressed by having fixupMultiSZ take an int array to store the length of each string. For example:

        static void
    fixupMultiSZ(wchar_t **strings, int *lengths, wchar_t *data, int len)
    {
        wchar_t *P, *Q = data + len;
        int i;

        for (P = data, i = 0; P < Q && *P; P++, i++) {
            strings[i] = P;
            lengths[i] = 0;
            for (; P < Q && *P; P++) {
                lengths[i]++;
            }
        }
    }

    We'd have to allocate the lengths array in Reg2Py, like we do for the strings array. Also, we can remove the overflow error check prior to PyUnicode_FromWideChar. The longest possible length is retDataSize / 2, which occurs if a single string is stored without any null terminators.

    @zooba
    Copy link
    Member

    zooba commented Apr 22, 2019

    New changeset 56ed864 by Steve Dower (Zackery Spytz) in branch 'master':
    bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687)
    56ed864

    @zooba
    Copy link
    Member

    zooba commented Apr 22, 2019

    Thanks Zackery! I've merged this main part of the fix (though it requires a manual backport to 2.7). As it's a buffer overrun, I've sent it back to 3.6 as well.

    Eryk - thanks for the additional detail. I wonder whether it would be just as easy to guarantee an over-allocation in this case and force a null terminator? (In fact, that would probably have handled the same case that Zackery just fixed, but we didn't have a patch ready for that approach)

    @miss-islington
    Copy link
    Contributor

    New changeset 7038dee by Miss Islington (bot) in branch '3.7':
    bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687)
    7038dee

    @miss-islington
    Copy link
    Contributor

    New changeset 84efbae by Miss Islington (bot) (Zackery Spytz) in branch '2.7':
    [2.7] bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) (GH-12916)
    84efbae

    @zooba
    Copy link
    Member

    zooba commented Apr 22, 2019

    Declaring this done - Ned can take the backport to 3.6 if/when he feels like it.

    @zooba zooba closed this as completed Apr 22, 2019
    @ned-deily
    Copy link
    Member

    New changeset dadc347 by Ned Deily (Miss Islington (bot)) in branch '3.6':
    bpo-9194: Fix the bounds checking in winreg.c's fixupMultiSZ() (GH-12687) (GH-12910)
    dadc347

    @ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
    Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
    Assignees
    No one assigned
    Labels
    3.7 (EOL) end of life 3.8 only security fixes extension-modules C modules in the Modules dir OS-windows type-bug An unexpected behavior, bug, or error
    Projects
    None yet
    Milestone
    No milestone
    Development

    No branches or pull requests
    5 participants
    @eryksun @zooba @ned-deily @ezio-melotti @miss-islington