Message 390285 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	serhiy.storchaka
Recipients	christian.heimes, serhiy.storchaka, xxm
Date	2021-04-06.07:25:32
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1617693932.47.0.94993787238.issue43599@roundup.psfhosted.org>
In-reply-to

Content
__dcigettext() contains: domainname_len = strlen (domainname); xdomainname = (char *) alloca (strlen (categoryname) + domainname_len + 5); It tries to allocate a buffer on stack, and for domain name causes stack overflow. There is no portable way to restore after stack overflow or to check it ahead. We can add arbitrary limit for the length of domain name, but it does not guarantee anything. It is just yet one way to crash Python from Python code.

__dcigettext() contains:

  domainname_len = strlen (domainname);
  xdomainname = (char *) alloca (strlen (categoryname)
				 + domainname_len + 5);

It tries to allocate a buffer on stack, and for domain name causes stack overflow.

There is no portable way to restore after stack overflow or to check it ahead. We can add arbitrary limit for the length of domain name, but it does not guarantee anything. It is just yet one way to crash Python from Python code.

History
Date	User	Action	Args
2021-04-06 07:25:32	serhiy.storchaka	set	recipients: + serhiy.storchaka, christian.heimes, xxm
2021-04-06 07:25:32	serhiy.storchaka	set	messageid: <1617693932.47.0.94993787238.issue43599@roundup.psfhosted.org>
2021-04-06 07:25:32	serhiy.storchaka	link	issue43599 messages
2021-04-06 07:25:32	serhiy.storchaka	create