Message 65175 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jnferguson
Recipients	jnferguson
Date	2008-04-08.15:59:47
SpamBayes Score	0.14854608
Marked as misclassified	No
Message-id	<1207670389.49.0.356116216637.issue2589@psf.upfronthosting.co.za>
In-reply-to

Content
On architectures that do not have a vsnprintf() in their standard library Python attempts to emulate it. When doing so, the implementation ambitiously allocates more memory than requested without verifying the sanity of the summed value. As a result it becomes possible (although unlikely) for an integer overflow to occur misallocating memory and causing a buffer overflow. 53 int 54 PyOS_vsnprintf(char str, size_t size, const char format, va_list va) 55 { 56 int len; /* # bytes written, excluding \0 / [...] 60 assert(str != NULL); 61 assert(size > 0); 62 assert(format != NULL); 63 [...] 67 / Emulate it. / 68 buffer = PyMem_MALLOC(size + 512); 69 if (buffer == NULL) { 70 len = -666; 71 goto Done; 72 } 73 74 len = vsprintf(buffer, format, va); 75 if (len < 0) 76 / ignore the error */; 77 78 else if ((size_t)len >= size + 512) 79 Py_FatalError("Buffer overflow in PyOS_snprintf/PyOS_vsnprintf"); 80 81 else { 82 const size_t to_copy = (size_t)len < size ? 83 (size_t)len : size - 1; 84 assert(to_copy < size); 85 memcpy(str, buffer, to_copy); 86 str[to_copy] = '\0'; 87 } 88 PyMem_FREE(buffer); 89 Done: [...] 91 str[size-1] = '\0'; 92 return len; 93 }

On architectures that do not have a vsnprintf() in their standard
library Python attempts to emulate it. When doing so, the implementation
ambitiously allocates more memory than requested without verifying the
sanity of the summed value. As a result it becomes possible (although
unlikely) for an integer overflow to occur misallocating memory and
causing a buffer overflow.

 53 int
 54 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 55 {
 56         int len;  /* # bytes written, excluding \0 */
[...]
 60         assert(str != NULL);
 61         assert(size > 0);
 62         assert(format != NULL);
 63 
[...]
 67         /* Emulate it. */
 68         buffer = PyMem_MALLOC(size + 512);
 69         if (buffer == NULL) {
 70                 len = -666;
 71                 goto Done;
 72         }
 73 
 74         len = vsprintf(buffer, format, va);
 75         if (len < 0)
 76                 /* ignore the error */;
 77 
 78         else if ((size_t)len >= size + 512)
 79                 Py_FatalError("Buffer overflow in
PyOS_snprintf/PyOS_vsnprintf");
 80 
 81         else {
 82                 const size_t to_copy = (size_t)len < size ?
 83                                         (size_t)len : size - 1;
 84                 assert(to_copy < size);
 85                 memcpy(str, buffer, to_copy);
 86                 str[to_copy] = '\0';
 87         }
 88         PyMem_FREE(buffer);
 89 Done:
[...]
 91         str[size-1] = '\0';
 92         return len;
 93 }

History
Date	User	Action	Args
2008-04-08 15:59:50	jnferguson	set	spambayes_score: 0.148546 -> 0.14854608 recipients: + jnferguson
2008-04-08 15:59:49	jnferguson	set	spambayes_score: 0.148546 -> 0.148546 messageid: <1207670389.49.0.356116216637.issue2589@psf.upfronthosting.co.za>
2008-04-08 15:59:48	jnferguson	link	issue2589 messages
2008-04-08 15:59:47	jnferguson	create