Message 20201 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jojoworks
Recipients
Date	2004-03-19.22:45:37
SpamBayes Score
Marked as misclassified
Message-id
In-reply-to

Content
Logged In: YES user_id=688090 Result of a brief scan: When the exceptional situation happens, the pyexpat.c module trashes parser->m_positionPtr (aliased as positionPtr) (see modules/expat/xmlparse.c, function XML_GetCurrentLineNumber() and similar). When the errorhandler forgets to raises an exception or exit, the module tries to access memory through the garbage pointer and segfaults. It seems to be buffer overrun bug: the pointer gets thrashed when some sort of input (the erroneous entity) is large enough to reach it (or variable from which the pointer is fetched). It is impossible for me to do further investigations because gdb/Mangrake GNU/Linux refuses to trace dlopen()ed shared object and I don't understand it's code enough to "debug" it by hand.

Logged In: YES 
user_id=688090

Result of a brief scan:

When the exceptional situation happens, the pyexpat.c module
trashes parser->m_positionPtr (aliased as positionPtr) (see
modules/expat/xmlparse.c, function
XML_GetCurrentLineNumber() and similar). When the
errorhandler forgets to raises an exception or exit, the
module tries to access memory through the garbage pointer
and segfaults.

It seems to be buffer overrun bug: the pointer gets thrashed
when some sort of input (the erroneous entity) is large
enough to reach it (or variable from which the pointer is
fetched).

It is impossible for me to do further investigations because
gdb/Mangrake GNU/Linux refuses to trace dlopen()ed shared
object and I don't understand it's code enough to "debug" it
by hand.

History
Date	User	Action	Args
2007-08-23 14:20:20	admin	link	issue914148 messages
2007-08-23 14:20:20	admin	create