Author dev_zzo
Recipients JohnLeitch, dev_zzo, serhiy.storchaka
Date 2015-06-18.08:22:30
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1434615751.61.0.720201349881.issue24462@psf.upfronthosting.co.za>
In-reply-to
Content
Quick analysis tells this can be attributed to the following code (in 2.7):

https://hg.python.org/cpython/file/a8e24d776e99/Objects/stringlib/fastsearch.h#l110
https://hg.python.org/cpython/file/a8e24d776e99/Objects/stringlib/fastsearch.h#l116

Suppose i = 0, then s[i+m] causes OOB access when m=n. Note only one iteration is possible in case of m=n due to loop condition of i <= (w = n-m = 0). Theoretically, one can try disclosing one adjacent byte, but more likely results are nothing (or potentially invalid match result) or a potential crash in an unlucky case of s[m] hitting an unmapped page.

The same code lives in 3.2 (and likely any prior 3.x release), and 3.3 seems to be affected as well. 3.4 code has a modified version, but has the same problem (ss = s + m - 1; if (!STRINGLIB_BLOOM(mask, ss[i+1])) ...).
History
Date User Action Args
2015-06-18 08:22:31dev_zzosetrecipients: + dev_zzo, serhiy.storchaka, JohnLeitch
2015-06-18 08:22:31dev_zzosetmessageid: <1434615751.61.0.720201349881.issue24462@psf.upfronthosting.co.za>
2015-06-18 08:22:31dev_zzolinkissue24462 messages
2015-06-18 08:22:30dev_zzocreate