Message 189992 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	lauri.alanko
Recipients	lauri.alanko
Date	2013-05-25.19:07:25
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1369508846.31.0.680698237225.issue18060@psf.upfronthosting.co.za>
In-reply-to

Content
In Modules/_ctypes/stgdict.c:567 there is a suspicious line: stgdict->length = len; /* ADD ffi_ofs? */ That is, the length field of the stgdict is set to the number of fields in the immediate Structure class, and the number of fields in the parent class (ffi_ofs) is questionably left out. This is wrong. The length field is used in PyCStgDict_clone to copy the ffi_type descriptors for struct elements to a derived struct type. If length is short, not all element types are copied, and the resulting array is not NULL-terminated. So the problem manifests when you inherit from a structure type, update the _fields_ of the inherited type, and then inherit again from the updated type. Even then everything might seem normal, since the elements array is actually not used very much. However, attached is a test case that segfaults at least with debug builds on ARM with the VFP ABI. The non-null-terminated element type array is traversed to find if the structure can be passed in floating point registers, eventually resulting in dereferencing 0xfbfbfbfb. The test program should print out pi. To avoid the hassle of a separate C component, the program abuses the standard atan2 function by pretending it takes a struct of two doubles instead of two separate double parameters. This does not make a difference to the ABI. Fixing the bug is trivial. Just change the line to: stgdict->length = ffi_ofs + len;

In Modules/_ctypes/stgdict.c:567 there is a suspicious line:

    stgdict->length = len;      /* ADD ffi_ofs? */

That is, the length field of the stgdict is set to the number of fields in the immediate Structure class, and the number of fields in the parent class (ffi_ofs) is questionably left out. This is wrong.

The length field is used in PyCStgDict_clone to copy the ffi_type descriptors for struct elements to a derived struct type. If length is short, not all element types are copied, and the resulting array is not NULL-terminated.

So the problem manifests when you inherit from a structure type, update the _fields_ of the inherited type, and then inherit again from the updated type. Even then everything might seem normal, since the elements array is actually not used very much.

However, attached is a test case that segfaults at least with debug builds on ARM with the VFP ABI. The non-null-terminated element type array is traversed to find if the structure can be passed in floating point registers, eventually resulting in dereferencing 0xfbfbfbfb.

The test program should print out pi. To avoid the hassle of a separate C component, the program abuses the standard atan2 function by pretending it takes a struct of two doubles instead of two separate double parameters. This does not make a difference to the ABI.

Fixing the bug is trivial. Just change the line to:

 stgdict->length = ffi_ofs + len;

History
Date	User	Action	Args
2013-05-25 19:07:26	lauri.alanko	set	recipients: + lauri.alanko
2013-05-25 19:07:26	lauri.alanko	set	messageid: <1369508846.31.0.680698237225.issue18060@psf.upfronthosting.co.za>
2013-05-25 19:07:26	lauri.alanko	link	issue18060 messages
2013-05-25 19:07:25	lauri.alanko	create