[issue17043] Invalid read in test_codecs
Changes by Serhiy Storchaka storch...@gmail.com: -- resolution: - fixed stage: patch review - committed/rejected status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
Roundup Robot added the comment: New changeset 498b54e0e856 by Serhiy Storchaka in branch '2.7': Issue #17043: The unicode-internal decoder no longer read past the end of http://hg.python.org/cpython/rev/498b54e0e856 New changeset 0f1c2e2b6bc2 by Serhiy Storchaka in branch '3.2': Issue #17043: The unicode-internal decoder no longer read past the end of http://hg.python.org/cpython/rev/0f1c2e2b6bc2 New changeset fec2976c8503 by Serhiy Storchaka in branch '3.3': Issue #17043: The unicode-internal decoder no longer read past the end of http://hg.python.org/cpython/rev/fec2976c8503 New changeset eb0370d4686c by Serhiy Storchaka in branch 'default': Issue #17043: The unicode-internal decoder no longer read past the end of http://hg.python.org/cpython/rev/eb0370d4686c -- nosy: +python-dev ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
Serhiy Storchaka added the comment: Ping. -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
Changes by Serhiy Storchaka storch...@gmail.com: -- assignee: - serhiy.storchaka ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
New submission from Stefan Krah: Found this in test_codecs running under Valgrind (Python 3.3): test_bug1251300 (test.test_codecs.UnicodeInternalTest) ... ==11511== Invalid read of size 1 ==11511==at 0x44AF37: _PyUnicode_DecodeUnicodeInternal (unicodeobject.c:6133) ==11511==by 0x4DEB5C: unicode_internal_decode (_codecsmodule.c:251) ==11511==by 0x5093F6: PyObject_Call (abstract.c:2082) ==11511==by 0x47D7F2: PyEval_CallObjectWithKeywords (ceval.c:3942) ==11511==by 0x491C38: PyCodec_Decode (codecs.c:403) ==11511==by 0x459D7D: PyUnicode_Decode (unicodeobject.c:3129) ==11511==by 0x45A287: PyUnicode_FromEncodedObject (unicodeobject.c:3023) ==11511==by 0x519A45: bytes_decode (bytesobject.c:2320) ==11511==by 0x484AB8: PyEval_EvalFrameEx (ceval.c:4374) ==11511==by 0x485ACB: PyEval_EvalFrameEx (ceval.c:4150) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x4859CA: PyEval_EvalFrameEx (ceval.c:4160) ==11511== Address 0x984a7e2 is 0 bytes after a block of size 34 alloc'd ==11511==at 0x4C27972: realloc (vg_replace_malloc.c:525) ==11511==by 0x51AC34: _PyBytes_Resize (bytesobject.c:2881) ==11511==by 0x51B1FA: PyBytes_FromObject (bytesobject.c:2732) ==11511==by 0x51C134: bytes_new (bytesobject.c:2594) ==11511==by 0x42A4E4: type_call (typeobject.c:723) ==11511==by 0x5093F6: PyObject_Call (abstract.c:2082) ==11511==by 0x4843D5: PyEval_EvalFrameEx (ceval.c:4282) ==11511==by 0x485ACB: PyEval_EvalFrameEx (ceval.c:4150) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x4859CA: PyEval_EvalFrameEx (ceval.c:4160) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x538EF8: function_call (funcobject.c:633) ==11511== _PyUnicode_DecodeUnicodeInternal (s=0x984a7e0 , size=value optimized out, errors=0x0) at Objects/unicodeobject.c:6133 6133((char *) uch)[2] = s[2]; == ==11511== ==11511== Debugger has detached. Valgrind regains control. We continue. ==11511== Invalid read of size 1 ==11511==at 0x44AF3E: _PyUnicode_DecodeUnicodeInternal (unicodeobject.c:6134) ==11511==by 0x4DEB5C: unicode_internal_decode (_codecsmodule.c:251) ==11511==by 0x5093F6: PyObject_Call (abstract.c:2082) ==11511==by 0x47D7F2: PyEval_CallObjectWithKeywords (ceval.c:3942) ==11511==by 0x491C38: PyCodec_Decode (codecs.c:403) ==11511==by 0x459D7D: PyUnicode_Decode (unicodeobject.c:3129) ==11511==by 0x45A287: PyUnicode_FromEncodedObject (unicodeobject.c:3023) ==11511==by 0x519A45: bytes_decode (bytesobject.c:2320) ==11511==by 0x484AB8: PyEval_EvalFrameEx (ceval.c:4374) ==11511==by 0x485ACB: PyEval_EvalFrameEx (ceval.c:4150) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x4859CA: PyEval_EvalFrameEx (ceval.c:4160) ==11511== Address 0x984a7e3 is 1 bytes after a block of size 34 alloc'd ==11511==at 0x4C27972: realloc (vg_replace_malloc.c:525) ==11511==by 0x51AC34: _PyBytes_Resize (bytesobject.c:2881) ==11511==by 0x51B1FA: PyBytes_FromObject (bytesobject.c:2732) ==11511==by 0x51C134: bytes_new (bytesobject.c:2594) ==11511==by 0x42A4E4: type_call (typeobject.c:723) ==11511==by 0x5093F6: PyObject_Call (abstract.c:2082) ==11511==by 0x4843D5: PyEval_EvalFrameEx (ceval.c:4282) ==11511==by 0x485ACB: PyEval_EvalFrameEx (ceval.c:4150) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x4859CA: PyEval_EvalFrameEx (ceval.c:4160) ==11511==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11511==by 0x538EF8: function_call (funcobject.c:633) ==11511== Loaded symbols for /usr/lib/gconv/ISO8859-9.so _PyUnicode_DecodeUnicodeInternal (s=0x8295790 , size=value optimized out, errors=0x0) at Objects/unicodeobject.c:6134 6134((char *) uch)[3] = s[3]; -- messages: 180709 nosy: serhiy.storchaka, skrah priority: normal severity: normal status: open title: Invalid read in test_codecs versions: Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
Stefan Krah added the comment: Same in test_codeccallbacks: test_badhandlerresults (test.test_codeccallbacks.CodecCallbackTest) ... ==11604== Invalid read of size 1 ==11604==at 0x44AF37: _PyUnicode_DecodeUnicodeInternal (unicodeobject.c:6133) ==11604==by 0x4DEB5C: unicode_internal_decode (_codecsmodule.c:251) ==11604==by 0x5093F6: PyObject_Call (abstract.c:2082) ==11604==by 0x47D7F2: PyEval_CallObjectWithKeywords (ceval.c:3942) ==11604==by 0x491C38: PyCodec_Decode (codecs.c:403) ==11604==by 0x459D7D: PyUnicode_Decode (unicodeobject.c:3129) ==11604==by 0x45A287: PyUnicode_FromEncodedObject (unicodeobject.c:3023) ==11604==by 0x519A45: bytes_decode (bytesobject.c:2320) ==11604==by 0x484AB8: PyEval_EvalFrameEx (ceval.c:4374) ==11604==by 0x485ACB: PyEval_EvalFrameEx (ceval.c:4150) ==11604==by 0x486779: PyEval_EvalCodeEx (ceval.c:3433) ==11604==by 0x4859CA: PyEval_EvalFrameEx (ceval.c:4160) ==11604== Address 0xfa1f8a2 is 0 bytes after a block of size 34 alloc'd ==11604==at 0x4C27972: realloc (vg_replace_malloc.c:525) ==11604==by 0x51AC34: _PyBytes_Resize (bytesobject.c:2881) ==11604==by 0x51C338: PyBytes_DecodeEscape (bytesobject.c:495) ==11604==by 0x56E871: ast_for_expr (ast.c:3837) ==11604==by 0x570562: ast_for_testlist (ast.c:1106) ==11604==by 0x56E859: ast_for_expr (ast.c:1881) ==11604==by 0x570562: ast_for_testlist (ast.c:1106) ==11604==by 0x56E859: ast_for_expr (ast.c:1881) ==11604==by 0x5715C4: ast_for_stmt (ast.c:3302) ==11604==by 0x5724F8: ast_for_suite (ast.c:3086) ==11604==by 0x5715E3: ast_for_stmt (ast.c:3305) ==11604==by 0x5724F8: ast_for_suite (ast.c:3086) _PyUnicode_DecodeUnicodeInternal (s=0xfa1f8a0 , size=value optimized out, errors= 0xf652fa0 test.badhandler) at Objects/unicodeobject.c:6133 6133((char *) uch)[2] = s[2]; [...] _PyUnicode_DecodeUnicodeInternal (s=0xfa1f8a0 , size=value optimized out, errors= 0xf652fa0 test.badhandler) at Objects/unicodeobject.c:6134 6134((char *) uch)[3] = s[3]; -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue17043] Invalid read in test_codecs
Serhiy Storchaka added the comment: Here are patches for all 4 versions. -- keywords: +patch Added file: http://bugs.python.org/file28860/decodeunicodeinternal_overflow-2.7.patch Added file: http://bugs.python.org/file28861/decodeunicodeinternal_overflow-3.2.patch Added file: http://bugs.python.org/file28862/decodeunicodeinternal_overflow-3.3.patch Added file: http://bugs.python.org/file28863/decodeunicodeinternal_overflow-3.4.patch ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___diff -r 523f309cf558 Objects/unicodeobject.c --- a/Objects/unicodeobject.c Sat Jan 26 13:31:44 2013 +0100 +++ b/Objects/unicodeobject.c Sun Jan 27 00:05:19 2013 +0200 @@ -3399,37 +3399,34 @@ end = s + size; while (s end) { +if (end-s Py_UNICODE_SIZE) { +endinpos = end-starts; +reason = truncated input; +goto error; +} memcpy(p, s, sizeof(Py_UNICODE)); +#ifdef Py_UNICODE_WIDE /* We have to sanity check the raw data, otherwise doom looms for some malformed UCS-4 data. */ -if ( -#ifdef Py_UNICODE_WIDE -*p unimax || *p 0 || +if (*p unimax || *p 0) { +endinpos = s - starts + Py_UNICODE_SIZE; +reason = illegal code point ( 0x10); +goto error; +} #endif -end-s Py_UNICODE_SIZE -) -{ -startinpos = s - starts; -if (end-s Py_UNICODE_SIZE) { -endinpos = end-starts; -reason = truncated input; -} -else { -endinpos = s - starts + Py_UNICODE_SIZE; -reason = illegal code point ( 0x10); -} -outpos = p - PyUnicode_AS_UNICODE(v); -if (unicode_decode_call_errorhandler( -errors, errorHandler, -unicode_internal, reason, -starts, size, startinpos, endinpos, exc, s, -v, outpos, p)) { -goto onError; -} -} -else { -p++; -s += Py_UNICODE_SIZE; +p++; +s += Py_UNICODE_SIZE; +continue; + + error: +startinpos = s - starts; +outpos = p - PyUnicode_AS_UNICODE(v); +if (unicode_decode_call_errorhandler( +errors, errorHandler, +unicode_internal, reason, +starts, size, startinpos, endinpos, exc, s, +v, outpos, p)) { +goto onError; } } diff -r f7eda8165e6f Objects/unicodeobject.c --- a/Objects/unicodeobject.c Sat Jan 26 12:14:02 2013 +0200 +++ b/Objects/unicodeobject.c Sat Jan 26 23:55:55 2013 +0200 @@ -4415,37 +4415,34 @@ end = s + size; while (s end) { +if (end-s Py_UNICODE_SIZE) { +endinpos = end-starts; +reason = truncated input; +goto error; +} memcpy(p, s, sizeof(Py_UNICODE)); +#ifdef Py_UNICODE_WIDE /* We have to sanity check the raw data, otherwise doom looms for some malformed UCS-4 data. */ -if ( -#ifdef Py_UNICODE_WIDE -*p unimax || *p 0 || +if (*p unimax || *p 0) { +endinpos = s - starts + Py_UNICODE_SIZE; +reason = illegal code point ( 0x10); +goto error; +} #endif -end-s Py_UNICODE_SIZE -) -{ -startinpos = s - starts; -if (end-s Py_UNICODE_SIZE) { -endinpos = end-starts; -reason = truncated input; -} -else { -endinpos = s - starts + Py_UNICODE_SIZE; -reason = illegal code point ( 0x10); -} -outpos = p - PyUnicode_AS_UNICODE(v); -if (unicode_decode_call_errorhandler( -errors, errorHandler, -unicode_internal, reason, -starts, end, startinpos, endinpos, exc, s, -v, outpos, p)) { -goto onError; -} -} -else { -p++; -s += Py_UNICODE_SIZE; +p++; +s += Py_UNICODE_SIZE; +continue; + + error: +startinpos = s - starts; +outpos = p - PyUnicode_AS_UNICODE(v); +if (unicode_decode_call_errorhandler( +errors, errorHandler, +unicode_internal, reason, +starts, end, startinpos, endinpos, exc, s, +v, outpos, p)) { +goto onError; } } diff -r 8c49dd8e4d22 Objects/unicodeobject.c --- a/Objects/unicodeobject.c Sat Jan 26 18:57:19 2013 +0100 +++ b/Objects/unicodeobject.c Sat Jan 26 23:50:50 2013 +0200 @@ -6125,6 +6125,11 @@ while (s end) { Py_UNICODE uch;
[issue17043] Invalid read in test_codecs
Changes by Serhiy Storchaka storch...@gmail.com: -- components: +Interpreter Core, Unicode nosy: +ezio.melotti stage: - patch review type: - behavior versions: +Python 2.7, Python 3.2, Python 3.4 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue17043 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com