[issue2595] Multiple integer overflows in imgfile extension module lead to buffer overflow

[Georg Brandl]

Georg Brandl ge...@python.org added the comment:

I don't think anyone cares about these modules anymore.

--
nosy: +georg.brandl
resolution:  - out of date
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2595
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2595] Multiple integer overflows in imgfile extension module lead to buffer overflow

[Gregory P. Smith]

Changes by Gregory P. Smith [EMAIL PROTECTED]:


--
priority:  - low

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2595
__
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2595] Multiple integer overflows in imgfile extension module lead to buffer overflow

[Justin Ferguson]

New submission from Justin Ferguson [EMAIL PROTECTED]:

The imgfile module contains multiple integer overflows, this module is
only used on SGI boxes and is likely mostly unused and thus is fairly
low priority imho-- no repros, no poc, no sgi box :/

I'm only going to post one to give you the idea, there's no need for me
to (further) spam the bug database by filing a bug for each one of
these, they're all pretty much the same.

Here the variables xsize, ysize and zsize are all externally derived.
While xsize and zsize are sanity checked, ysize is not. This potentially
results in an integer overflow/misallocation at line 133 and writes to
invalid memory in the calls to getrow()

 85 static PyObject *
 86 imgfile_read(PyObject *self, PyObject *args)
 87 {
 88 char *fname;
 89 PyObject *rv;
 90 int xsize, ysize, zsize;
 91 char *cdatap;
 92 long *idatap;
 93 static short rs[8192], gs[8192], bs[8192];
 94 int x, y;
 95 IMAGE *image;
 96 int yfirst, ylast, ystep;
 97
 98 if ( !PyArg_ParseTuple(args, s:read, fname) )
 99 return NULL;
100
101 if ( (image = imgfile_open(fname)) == NULL )
102 return NULL;
[...]
116 xsize = image-xsize;
117 ysize = image-ysize;
118 zsize = image-zsize;
119 if ( zsize != 1  zsize != 3) {
120 iclose(image);
121 PyErr_SetString(ImgfileError,
122 Can only handle 1 or 3 byte pixels);
123 return NULL;
124 }
125 if ( xsize  8192 ) {
126 iclose(image);
127 PyErr_SetString(ImgfileError,
128 Can't handle image with  8192
columns);
129 return NULL;
130 }
131 
132 if ( zsize == 3 ) zsize = 4;
133 rv = PyString_FromStringAndSize((char *)NULL,
xsize*ysize*zsize);
134 if ( rv == NULL ) {
138 cdatap = PyString_AsString(rv);
139 idatap = (long *)cdatap;
[...]
150 for ( y=yfirst; y != ylast  !error_called; y += ystep ) {
151 if ( zsize == 1 ) {
152 getrow(image, rs, y, 0);
153 for(x=0; xxsize; x++ )
154 *cdatap++ = rs[x];
155 } else {
156 getrow(image, rs, y, 0);
157 getrow(image, gs, y, 1);
158 getrow(image, bs, y, 2);
159 for(x=0; xxsize; x++ )
160 *idatap++ = (rs[x]  0xff)  |
161 ((gs[x]  0xff)8) |
162 ((bs[x]  0xff)16);
163 }
164 }

--
components: Extension Modules
messages: 65194
nosy: jnferguson
severity: normal
status: open
title: Multiple integer overflows in imgfile extension module lead to buffer 
overflow
type: security
versions: Python 2.5

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2595
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2595] Multiple integer overflows in imgfile extension module lead to buffer overflow

[Justin Ferguson]

Justin Ferguson [EMAIL PROTECTED] added the comment:

I'm not going to file a different bug for rgbimgmodule.c, it has the
same types of issues.

Sorry, I don't mean to drop a ton of bugs, I'm prepping up to do a talk
on attacking the metadata in scripting languages (i.e. the python call
stack instead of the processors) and I need to have these public/patched
before I talk about them. I've got a bunch more bugs, I'll file them
later when some of this stuff is caught up with.

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2595
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com