[issue24522] Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow)

2015-06-28 Thread Arfrever Frehtes Taifersar Arahesis 

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24522
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24522] Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow)

2015-06-27 Thread Benjamin Peterson 

New submission from Benjamin Peterson:

Reported by Brendon Tiszka on the security list:

# static PyObject *
# escape_unicode(PyObject *pystr)
# {
# /* Take a PyUnicode pystr and return a new escaped PyUnicode */
# Py_ssize_t i;
# Py_ssize_t input_chars;
# Py_ssize_t output_size;
# Py_ssize_t chars;
# PyObject *rval;
# void *input;
# int kind;
# Py_UCS4 maxchar;
# 
# if (PyUnicode_READY(pystr) == -1)
# return NULL;
# 
# maxchar = PyUnicode_MAX_CHAR_VALUE(pystr);
# input_chars = PyUnicode_GET_LENGTH(pystr);
# input = PyUnicode_DATA(pystr);
# kind = PyUnicode_KIND(pystr);
# 
# /* Compute the output size */
# for (i = 0, output_size = 2; i  input_chars; i++) {
# Py_UCS4 c = PyUnicode_READ(kind, input, i);
# switch (c) {
# case '\\': case '': case '\b': case '\f':
# case '\n': case '\r': case '\t':
# output_size += 2;
# break;
# default:
# if (c = 0x1f)
# output_size += 6;
# else
# output_size++;
# }
# }
#
# rval = PyUnicode_New(output_size, maxchar);
#
# 1.) if c is = 0x1f then output_size += 6. There are no overflow checks on 
this variable.
# 2.) rval buffer is too small to hold results
#
# Crash:
# --
#
# Program received signal SIGSEGV, Segmentation fault.
# 0xb7a2e9be in escape_unicode (pystr=pystr@entry=0x8cf81018)
# at /home/pail/cpython/Modules/_json.c:306
# 306  ENCODE_OUTPUT;
#
# OS info
# 
#  %./python -V
#   Python 3.6.0a0
# % uname -a
# Linux Pail0verflow 3.13.0-52-generic #85-Ubuntu SMP Wed Apr 29 16:44:56 UTC 
2015 i686 i686 i686 GNU/Linux
#
# ASAN Info (details in other file)
# =
# ==6512== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb5c0 
at pc 0xb5f17356 bp 0xbfaa0eb8 sp 0xbfaa0eac
# WRITE of size 1 at 0xb5c0 thread T0

import json

sp = \x13*715827883 #((2**32)/6 + 1)
json.dumps([sp], ensure_ascii=False)

--
components: Extension Modules
messages: 245891
nosy: benjamin.peterson
priority: normal
severity: normal
status: open
title: Integer overflow in _json_encode_unicode leads to crash 
(heap-buffer-overflow)
type: security
versions: Python 3.5, Python 3.6

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24522
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue24522] Integer overflow in _json_encode_unicode leads to crash (heap-buffer-overflow)

2015-06-27 Thread Roundup Robot 

Roundup Robot added the comment:

New changeset 0540e14c4b64 by Benjamin Peterson in branch '3.5':
prevent integer overflow in escape_unicode (closes #24522)
https://hg.python.org/cpython/rev/0540e14c4b64

New changeset fc799b2edf21 by Benjamin Peterson in branch 'default':
merge 3.5 (#24522)
https://hg.python.org/cpython/rev/fc799b2edf21

--
nosy: +python-dev
resolution:  - fixed
stage:  - resolved
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24522
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com