Message385136
Hi,
There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of th sprintf() function on line:
case 'd':
sprintf(buffer, "<cparam '%c' (%f)>",
self->tag, self->value.d);
break;
Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer.
This could potentially cause RCE when a user allows untrusted input in these functions.
A minimal PoC:
>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted
I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead.
Best Regards,
Jordy Zomer |
|
Date |
User |
Action |
Args |
2021-01-16 08:03:27 | JordyZomer | set | recipients:
+ JordyZomer |
2021-01-16 08:03:27 | JordyZomer | set | messageid: <1610784207.02.0.722384660803.issue42938@roundup.psfhosted.org> |
2021-01-16 08:03:26 | JordyZomer | link | issue42938 messages |
2021-01-16 08:03:26 | JordyZomer | create | |
|