[issue24602] SRE_SEARCH Integer Underflow

2015-07-09 Thread JohnLeitch
JohnLeitch added the comment: Attaching repro. -- Added file: http://bugs.python.org/file39889/SRE_SEARCH_Integer_Underflow.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24602

[issue24602] SRE_SEARCH Integer Underflow

2015-07-09 Thread JohnLeitch
JohnLeitch added the comment: Attaching proposed patch for unit tests to cover this issue. -- Added file: http://bugs.python.org/file39888/test_re.py.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24602

[issue24602] SRE_SEARCH Integer Underflow

2015-07-09 Thread JohnLeitch
New submission from JohnLeitch: The Python 2.7 regular expression module suffers from an integer underflow in the SRE_SEARCH function of _sre.c, which leads to a buffer over-read condition. The issue is caused by unchecked subtraction performed while handling SR_OP_INFO blocks

[issue24594] msilib.OpenDatabase Type Confusion

2015-07-08 Thread JohnLeitch
New submission from JohnLeitch: The msilib.OpenDatabase method suffers from a type confusion vulnerability caused by the behavior of MsiOpenDatabase(), the underlying win32 function utilized. This is due to the unorthodox handling of the szPersist parameter: when an MSIDBOPEN_* value

[issue24594] msilib.OpenDatabase Type Confusion

2015-07-08 Thread JohnLeitch
JohnLeitch added the comment: Attaching repro file. -- Added file: http://bugs.python.org/file39886/msilib.OpenDatabase_Type_Confusion.py ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24594

[issue24481] hotspot pack_string Heap Buffer Overflow

2015-06-20 Thread JohnLeitch
New submission from JohnLeitch: The hotspot module suffer from a heap buffer overflow due to a memcpy in the pack_string function at line 633: static int pack_string(ProfilerObject *self, const char *s, Py_ssize_t len) { if (len + PISIZE + self-index = BUFFERSIZE) { if (flush_data

[issue24462] bytearray.find Buffer Over-read

2015-06-20 Thread JohnLeitch
JohnLeitch added the comment: Given my understanding of the issue, the memcmp approach seems like a viable fix. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue24462

[issue24462] bytearray.find Buffer Over-read

2015-06-17 Thread JohnLeitch
New submission from JohnLeitch: The bytearray.find method suffers from a buffer over-read that can be triggered by passing a string equal in length to the buffer. The result is a read off the end of the buffer, which could potentially be exploited to disclose the contents of adjacent memory

[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-15 Thread JohnLeitch
New submission from JohnLeitch: The audioop.adpcm2lin function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1545 of Modules\audioop.c: } else if ( !PyArg_ParseTuple(state, ii, valpred, index) ) return 0; step = stepsizeTable[index

[issue24457] audioop.lin2adpcm Buffer Over-read

2015-06-15 Thread JohnLeitch
New submission from JohnLeitch: The audioop.lin2adpcm function suffers from a buffer over-read caused by unchecked access to stepsizeTable at line 1436 of Modules\audioop.c: } else if ( !PyArg_ParseTuple(state, ii, valpred, index) ) return 0; step = stepsizeTable[index

[issue24264] imageop Unsafe Arithmetic

2015-05-22 Thread JohnLeitch
New submission from JohnLeitch: Several functions within the imageop module are vulnerable to exploitable buffer overflows due to unsafe arithmetic in check_multiply_size(). The problem exists because the check to confirm that size == product / y / x does not take remainders into account

[issue24201] _winreg PyHKEY Type Confusion

2015-05-16 Thread JohnLeitch
JohnLeitch added the comment: Thank you again for the explanation of the internals at play here. Armed with the knowledge you provided, I conducted further experimentation, and I believe I can now demonstrate how EIP control is possible with this bug. Note that RPC initialization

[issue24201] _winreg PyHKEY Type Confusion

2015-05-15 Thread JohnLeitch
New submission from JohnLeitch: The Python _winreg module suffers from a type confusion vulnerability wherein pointers can be passed directly in place of PyHKEY instances e.g. _winreg.QueryValue(0x41414141, ) This behavior is due to the underlying PyHKEY_AsHKEY function of _winreg.c: BOOL

[issue24201] _winreg PyHKEY Type Confusion

2015-05-15 Thread JohnLeitch
JohnLeitch added the comment: Thank you for taking the time to peruse my report and explain the behavior I observed. My understanding of Windows RPC internals is lacking, and perhaps I jumped the gun upon catching an AV while fuzzing. That said, after poking around to better understand