Message 65178 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jnferguson
Recipients	jnferguson
Date	2008-04-08.16:09:33
SpamBayes Score	0.035996236
Marked as misclassified	No
Message-id	<1207670974.93.0.212511655132.issue2590@psf.upfronthosting.co.za>
In-reply-to

Content
The S_unpack_from() function in Modules/_struct.c does not adequately validate its arguments, potentially causing an out-of-bounds read access. It should be noted that the check at line 1561 is inadequate for obscene values of offset. Finally, because they're not really important and I really don't want to type them all up-- you guys might want to go through your code-- especially the modules and look for constructs where an empty string will cause memory to be uninitialized-- look at the audioop module for examples of what I mean-- the only thing that actually saved you guys from overflows there was that the loops you write with use the same variable. 1533 static PyObject * 1534 s_unpack_from(PyObject self, PyObject args, PyObject kwds) 1535 { 1536 static char kwlist[] = {"buffer", "offset", 0}; 1537 #if (PY_VERSION_HEX < 0x02050000) 1538 static char fmt = "z#\|i:unpack_from"; 1539 #else 1540 static char fmt = "z#\|n:unpack_from"; 1541 #endif 1542 Py_ssize_t buffer_len = 0, offset = 0; [...] 1547 1548 if (!PyArg_ParseTupleAndKeywords(args, kwds, fmt, kwlist, 1549 &buffer, &buffer_len, &offset)) 1550 return NULL; [...] 1558 if (offset < 0) 1559 offset += buffer_len; 1560 1561 if (offset < 0 \|\| (buffer_len - offset) < soself->s_size) { [...] 1566 } 1567 return s_unpack_internal(soself, buffer + offset); 1568 }

The S_unpack_from() function in Modules/_struct.c does not adequately
validate its arguments, potentially causing an out-of-bounds read
access. It should be noted that the check at line 1561 is inadequate for
obscene values of offset. Finally, because they're not really important
and I really don't want to type them all up-- you guys might want to go
through your code-- especially the modules and look for constructs where
an empty string will cause memory to be uninitialized-- look at the
audioop module for examples of what I mean-- the only thing that
actually saved you guys from overflows there was that the loops you
write with use the same variable. 

1533 static PyObject *
1534 s_unpack_from(PyObject *self, PyObject *args, PyObject *kwds)
1535 {
1536         static char *kwlist[] = {"buffer", "offset", 0};
1537 #if (PY_VERSION_HEX < 0x02050000)
1538         static char *fmt = "z#|i:unpack_from";
1539 #else
1540         static char *fmt = "z#|n:unpack_from";
1541 #endif
1542         Py_ssize_t buffer_len = 0, offset = 0;
[...]
1547 
1548         if (!PyArg_ParseTupleAndKeywords(args, kwds, fmt, kwlist,
1549                                          &buffer, &buffer_len,
&offset))
1550                 return NULL;
[...]
1558         if (offset < 0)
1559                 offset += buffer_len;
1560 
1561         if (offset < 0 || (buffer_len - offset) < soself->s_size) {
[...]
1566         }
1567         return s_unpack_internal(soself, buffer + offset);
1568 }

History
Date	User	Action	Args
2008-04-08 16:09:35	jnferguson	set	spambayes_score: 0.0359962 -> 0.035996236 recipients: + jnferguson
2008-04-08 16:09:34	jnferguson	set	spambayes_score: 0.0359962 -> 0.0359962 messageid: <1207670974.93.0.212511655132.issue2590@psf.upfronthosting.co.za>
2008-04-08 16:09:34	jnferguson	link	issue2590 messages
2008-04-08 16:09:33	jnferguson	create