Message 65194 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	jnferguson
Recipients	jnferguson
Date	2008-04-08.16:56:33
SpamBayes Score	0.022963477
Marked as misclassified	No
Message-id	<1207673799.86.0.811482353328.issue2595@psf.upfronthosting.co.za>
In-reply-to

Content
The imgfile module contains multiple integer overflows, this module is only used on SGI boxes and is likely mostly unused and thus is fairly low priority imho-- no repros, no poc, no sgi box :/ I'm only going to post one to give you the idea, there's no need for me to (further) spam the bug database by filing a bug for each one of these, they're all pretty much the same. Here the variables xsize, ysize and zsize are all externally derived. While xsize and zsize are sanity checked, ysize is not. This potentially results in an integer overflow/misallocation at line 133 and writes to invalid memory in the calls to getrow() 85 static PyObject * 86 imgfile_read(PyObject self, PyObject args) 87 { 88 char fname; 89 PyObject rv; 90 int xsize, ysize, zsize; 91 char cdatap; 92 long idatap; 93 static short rs[8192], gs[8192], bs[8192]; 94 int x, y; 95 IMAGE image; 96 int yfirst, ylast, ystep; 97 98 if ( !PyArg_ParseTuple(args, "s:read", &fname) ) 99 return NULL; 100 101 if ( (image = imgfile_open(fname)) == NULL ) 102 return NULL; [...] 116 xsize = image->xsize; 117 ysize = image->ysize; 118 zsize = image->zsize; 119 if ( zsize != 1 && zsize != 3) { 120 iclose(image); 121 PyErr_SetString(ImgfileError, 122 "Can only handle 1 or 3 byte pixels"); 123 return NULL; 124 } 125 if ( xsize > 8192 ) { 126 iclose(image); 127 PyErr_SetString(ImgfileError, 128 "Can't handle image with > 8192 columns"); 129 return NULL; 130 } 131 132 if ( zsize == 3 ) zsize = 4; 133 rv = PyString_FromStringAndSize((char )NULL, xsizeysizezsize); 134 if ( rv == NULL ) { 138 cdatap = PyString_AsString(rv); 139 idatap = (long )cdatap; [...] 150 for ( y=yfirst; y != ylast && !error_called; y += ystep ) { 151 if ( zsize == 1 ) { 152 getrow(image, rs, y, 0); 153 for(x=0; x<xsize; x++ ) 154 cdatap++ = rs[x]; 155 } else { 156 getrow(image, rs, y, 0); 157 getrow(image, gs, y, 1); 158 getrow(image, bs, y, 2); 159 for(x=0; x<xsize; x++ ) 160 *idatap++ = (rs[x] & 0xff) \| 161 ((gs[x] & 0xff)<<8) \| 162 ((bs[x] & 0xff)<<16); 163 } 164 }

The imgfile module contains multiple integer overflows, this module is
only used on SGI boxes and is likely mostly unused and thus is fairly
low priority imho-- no repros, no poc, no sgi box :/

I'm only going to post one to give you the idea, there's no need for me
to (further) spam the bug database by filing a bug for each one of
these, they're all pretty much the same.

Here the variables xsize, ysize and zsize are all externally derived.
While xsize and zsize are sanity checked, ysize is not. This potentially
results in an integer overflow/misallocation at line 133 and writes to
invalid memory in the calls to getrow()

 85 static PyObject *
 86 imgfile_read(PyObject *self, PyObject *args)
 87 {
 88         char *fname;
 89         PyObject *rv;
 90         int xsize, ysize, zsize;
 91         char *cdatap;
 92         long *idatap;
 93         static short rs[8192], gs[8192], bs[8192];
 94         int x, y;
 95         IMAGE *image;
 96         int yfirst, ylast, ystep;
 97
 98         if ( !PyArg_ParseTuple(args, "s:read", &fname) )
 99                 return NULL;
100    
101         if ( (image = imgfile_open(fname)) == NULL )
102                 return NULL;
[...]
116         xsize = image->xsize;
117         ysize = image->ysize;
118         zsize = image->zsize;
119         if ( zsize != 1 && zsize != 3) {
120                 iclose(image);
121                 PyErr_SetString(ImgfileError,
122                                 "Can only handle 1 or 3 byte pixels");
123                 return NULL;
124         }
125         if ( xsize > 8192 ) {
126                 iclose(image);
127                 PyErr_SetString(ImgfileError,
128                                 "Can't handle image with > 8192
columns");
129                 return NULL;
130         }
131 
132         if ( zsize == 3 ) zsize = 4;
133         rv = PyString_FromStringAndSize((char *)NULL,
xsize*ysize*zsize);
134         if ( rv == NULL ) {
138         cdatap = PyString_AsString(rv);
139         idatap = (long *)cdatap;
[...]
150         for ( y=yfirst; y != ylast && !error_called; y += ystep ) {
151                 if ( zsize == 1 ) {
152                         getrow(image, rs, y, 0);
153                         for(x=0; x<xsize; x++ )
154                                 *cdatap++ = rs[x];
155                 } else {
156                         getrow(image, rs, y, 0);
157                         getrow(image, gs, y, 1);
158                         getrow(image, bs, y, 2);
159                         for(x=0; x<xsize; x++ )
160                                 *idatap++ = (rs[x] & 0xff)  |
161                                         ((gs[x] & 0xff)<<8) |
162                                         ((bs[x] & 0xff)<<16);
163                 }
164         }

History
Date	User	Action	Args
2008-04-08 16:56:40	jnferguson	set	spambayes_score: 0.0229635 -> 0.022963477 recipients: + jnferguson
2008-04-08 16:56:39	jnferguson	set	spambayes_score: 0.0229635 -> 0.0229635 messageid: <1207673799.86.0.811482353328.issue2595@psf.upfronthosting.co.za>
2008-04-08 16:56:33	jnferguson	link	issue2595 messages
2008-04-08 16:56:33	jnferguson	create