Author JordyZomer
Recipients JordyZomer
Date 2021-01-16.08:03:26
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1610784207.02.0.722384660803.issue42938@roundup.psfhosted.org>
In-reply-to
Content
Hi, 

There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.

The buffer overflow happens due to not checking the length of th sprintf() function on line: 

    case 'd':
        sprintf(buffer, "<cparam '%c' (%f)>",
            self->tag, self->value.d);
        break;

Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's  to overflow the buffer.

This could potentially cause RCE when a user allows untrusted input in these functions.

A minimal PoC:

>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted


I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead.

Best Regards,

Jordy Zomer
History
Date User Action Args
2021-01-16 08:03:27JordyZomersetrecipients: + JordyZomer
2021-01-16 08:03:27JordyZomersetmessageid: <1610784207.02.0.722384660803.issue42938@roundup.psfhosted.org>
2021-01-16 08:03:26JordyZomerlinkissue42938 messages
2021-01-16 08:03:26JordyZomercreate