[issue6873] posix_lchown: possible overflow of uid, gid

2009-12-23 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Gregory,

I discovered this bug by static analysis, so I do not have a system 
that this bug is actually triggered. But I am happy to see the fix 
applied since this makes code safer. It would be great if anyone could 
write a test case that cause uid and gid to overflow, then use the test 
case as a regression test on the fix.

Boya

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6873] posix_lchown: possible overflow of uid, gid

2009-09-16 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Martin,

Corrected the patch accordingly. Can you verify whether the fix is
correct or not now? 

Boya

--
Added file: http://bugs.python.org/file14900/patch_6873.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6873] posix_lchown: possible overflow of uid, gid

2009-09-11 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Martin,

I am sorry that I do not have a system where this code actually
triggered a problem, since this bug is discovered by a *static* analysis
tool that is recently developed by our research group, which finds code
segments that are similar to a previously fixed bugs as potential bugs.
 You are saying that if I pass a long to the i argument parser it will
cause a problem. But if I passed a int, it will be same as before and
overflow will not be detected at all.  

---
Victor,

Do you also agree that it will cause a problem if I pass a long to the i
argument parser? If so, I think maybe the overflow problem cannot be
solved by the patch I submitted.

Boya

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6873] posix_lchown: possible overflow of uid, gid

2009-09-10 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Martin,

The reason why I think there is a possible overflow is that according to
issue 5705, uid/gid overflows are fixed in the following functions:
posix_setegid, posix_setreuid(), posix_setregid(), posix_setgid(). So I
think a similar fix should also be applied to the function posix_lchown.
Or did I misunderstand anything?

And you're right. The previous patch is incorrect. I now submitted
another patch that deals with the *actual* overflow of gid and uid. 

---
Victor,

I agree that all posix_*chown() functions should also be fixed for the
same overflow problem, and it's a good idea to create callback functions
as you described. But if nobody does that, I can at least created more
patches to fix other posix_*chown() functions.

--
Added file: http://bugs.python.org/file14873/patch_6873.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6873] posix_lchown: possible overflow of uid, gid

2009-09-10 Thread Boya Sun 

Changes by Boya Sun boya@case.edu:


Removed file: http://bugs.python.org/file14869/patch.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6817] char buffer in function posix_getcwdu should not be fix length

2009-09-10 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Victor,

I corrected both issues of the patch according to your first comment. 

This patch did not fix the Windows implementation. It seems that there
will not be buffer overflow in the Windows implementation, since if the
buffer is small for GetCurrentDirectoryW(), the code allocates a new
buffer for it with enough length by the following code:

len = GetCurrentDirectoryW(sizeof wbuf/ sizeof wbuf[0], wbuf);
if (len = sizeof wbuf/ sizeof wbuf[0]) {
wbuf2 = malloc(len * sizeof(wchar_t));
if (wbuf2)
len = GetCurrentDirectoryW(len, wbuf2);
}

--
Added file: http://bugs.python.org/file14874/patch_6817.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6817
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6873] posix_lchown: possible overflow of uid, gid

2009-09-09 Thread Boya Sun 

New submission from Boya Sun boya@case.edu:

posix_lchown(PyObject *self, PyObject *args)
{
...
int uid, gid;
...
if (!PyArg_ParseTuple(args, etii:lchown,
  Py_FileSystemDefaultEncoding, path,
  uid, gid))
...
}

uid and gid could cause over flow. A similar bug is issue 5705.

Patch attached.  Any comment is appreciated!

Boya

--
files: patch.diff
keywords: patch
messages: 92465
nosy: boya
severity: normal
status: open
title: posix_lchown: possible overflow of uid, gid
Added file: http://bugs.python.org/file14869/patch.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6873
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it

2009-09-09 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Created issue 6879 following Victor's suggestion.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue5705
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it

2009-09-09 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Sorry, typo.

Created issue 6873 following Victor's suggestion.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue5705
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3139] bytearrays are not thread safe

2009-09-02 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

I am still a little bit confused.  Can you explain a little more in
detail? What is the difference between the suspicious code and the ones
that are fixed?

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue3139
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3139] bytearrays are not thread safe

2009-09-01 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Although the bug is fixed, the following three code segments seems
suspicious in _codecsmodule.c in the latest revision 74624, and they are
similar to the bug described here:

(1)
escape_decode(PyObject *self,
  PyObject *args)
{
...
const char *data;
...
if (!PyArg_ParseTuple(args, s#|z:escape_decode,
  data, size, errors))
}

(2)
readbuffer_encode(PyObject *self,
  PyObject *args)
{
const char *data;
...
if (!PyArg_ParseTuple(args, s#|z:readbuffer_encode,
  data, size, errors))
...
}

(3)
charbuffer_encode(PyObject *self,
  PyObject *args)
{
const char *data;
...
if (!PyArg_ParseTuple(args, t#|z:charbuffer_encode,
  data, size, errors))
...
}

Firstly, char *data; have been replaced by Py_buffer pbuf; in many
procedures in this file in the bug fix, but these code did not;
Secondly, they uses s# or t# which should probably changed to s*;

I could be wrong about it.  Does anyone have any opinions on the above
code? Are they really buggy or am I misunderstanding anything?

--
nosy: +boya

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue3139
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue5705] os.getpwent returns unsigned 32bit value, os.setuid refuses it

2009-09-01 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Another potential bug discovered in posixmodule.c in the function
posix_lchown:

posix_lchown(PyObject *self, PyObject *args)
{
...
int uid, gid;
...
if (!PyArg_ParseTuple(args, etii:lchown,
  Py_FileSystemDefaultEncoding, path,
  uid, gid))
...
}

uid and gid could also cause over flow. Patch attached.

Hope some one can comment on the patch, thanks a lot!

--
keywords: +patch
nosy: +boya
Added file: http://bugs.python.org/file14816/patch_5705.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue5705
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2722] os.getcwd fails for long path names on linux

2009-09-01 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

This bug occurred in posix_getcwd() and is being fixed. 
Should the following code in posix_getcwdu() also be fixed the same way?

posix_getcwdu(PyObject *self, PyObject *noargs)
{
char buf[1026];
...
#if defined(PYOS_OS2)  defined(PYCC_GCC)
res = _getcwd2(buf, sizeof buf);
#else
res = getcwd(buf, sizeof buf);
#endif
...
}

In my opinion, the fixed length buf should be discarded and instead
allocate memory to buf as needed (as the fix code in posix_getcwd()),
since getcwd() does not have a maximum anymore.

--
nosy: +boya

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2722
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2620] Multiple buffer overflows in unicode processing

2009-09-01 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

In Python/pyarena.c:

block_new(size_t size)
{
/* Allocate header and block as one unit.
   ab_mem points just past header. */
block *b = (block *)malloc(sizeof(block) + size);
...
}

Should a check for overflow of size also be performed before calling
malloc?

--
nosy: +boya

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2620
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue6817] char buffer in function posix_getcwdu should not be fix length

2009-09-01 Thread Boya Sun 

New submission from Boya Sun boya@case.edu:

This issue is similar to issue 2722 (http://bugs.python.org/issue2722#), 
where the char buffer support that the path string has
not fixed length in the function posix_getcwd(). 

In the function posix_getcwdu(), the char buffer is still fix length. But 
I think the same change should also apply to this function.  A patch is 
attached to allow the char buffer in posix_getcwdu() to be not fixed 
length.

--
files: patch_get_cwdu.diff
keywords: patch
messages: 92151
nosy: boya
severity: normal
status: open
title: char buffer in function posix_getcwdu should not be fix length
Added file: http://bugs.python.org/file14818/patch_get_cwdu.diff

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue6817
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2722] os.getcwd fails for long path names on linux

2009-09-01 Thread Boya Sun 

Boya Sun boya@case.edu added the comment:

Amaury,

Created issue 6817 with a patch.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2722
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com