[issue24989] scan_eol() Buffer Over-read

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___

[issue24989] scan_eol() Buffer Over-read

Roundup Robot added the comment: New changeset 07e04c34bab5 by Larry Hastings in branch '3.5': Merged in storchaka/cpython350 (pull request #13) https://hg.python.org/cpython/rev/07e04c34bab5 -- ___ Python tracker

[issue24989] scan_eol() Buffer Over-read

Changes by Serhiy Storchaka : -- nosy: +larry ___ Python tracker ___ ___

[issue24989] scan_eol() Buffer Over-read

Serhiy Storchaka added the comment: It should be self->string_size, not PyBytes_GET_SIZE(self->buf). Thank you for your report and your patch John. Here is revised patch with tests based on Martin's test. Larry, perhaps this bug is grave enough to be fixed in RC3. -- components:

[issue24989] scan_eol() Buffer Over-read

STINNER Victor added the comment: scan_eol_Buffer_Over-read_2.patch looks good to me. > Larry, perhaps this bug is grave enough to be fixed in RC3. Since it looks like a regression in Python 3.5, yes, it's a severe bug. Please send a pull request to Larry for it. --

[issue24989] scan_eol() Buffer Over-read

Larry Hastings added the comment: Yes, please create a pull request for this patch. Thanks! And just to confirm: I just applied patch 2 to CPython, then undid the change to bytesio.c. The new test fails, and sometimes Python will segmentation fault. If I then apply the patch to bytesio.c

[issue24989] scan_eol() Buffer Over-read

Changes by Larry Hastings : -- priority: high -> release blocker ___ Python tracker ___

[issue24989] scan_eol() Buffer Over-read

Roundup Robot added the comment: New changeset a5858c30db7c by Serhiy Storchaka in branch '3.5': Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is https://hg.python.org/cpython/rev/a5858c30db7c New changeset 215800fb955d by Serhiy Storchaka in branch 'default': Issue

[issue24989] scan_eol() Buffer Over-read

Serhiy Storchaka added the comment: https://bitbucket.org/larry/cpython350/pull-requests/13/issue-24989/diff -- ___ Python tracker ___

[issue24989] scan_eol() Buffer Over-read

Larry Hastings added the comment: Pull request accepted. Please forward-merge. Thanks! -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker

[issue24989] scan_eol() Buffer Over-read

Roundup Robot added the comment: New changeset 2b6ce7e9595c by Serhiy Storchaka in branch '3.5': Issue #24989: Fixed buffer overread in BytesIO.readline() if a position is https://hg.python.org/cpython/rev/2b6ce7e9595c -- ___ Python tracker

[issue24989] scan_eol() Buffer Over-read

Changes by John Leitch : Added file: http://bugs.python.org/file40327/scan_eol_Buffer_Over-read.py ___ Python tracker ___

[issue24989] scan_eol() Buffer Over-read

New submission from John Leitch: Python 3.5 suffers from a vulnerability caused by the behavior of the scan_eol() function. When called, the function gets a line from the buffer of a BytesIO object by searching for a newline character starting at the position in the buffer. However, if the

[issue24989] scan_eol() Buffer Over-read

Changes by STINNER Victor : -- nosy: +haypo, serhiy.storchaka ___ Python tracker ___

[issue24989] scan_eol() Buffer Over-read

Martin Panter added the comment: Simpler test case, which might find a place somewhere like /Lib/test/test_memoryio.py: >>> from io import BytesIO >>> b = BytesIO() >>> b.seek(1) 1 >>> b.readlines() # Should return an empty list Segmentation fault (core dumped) [Exit 139] The patch looks

[issue24989] scan_eol() Buffer Over-read

John Leitch added the comment: We based our fix on the check in write_bytes: if (endpos > (size_t)PyBytes_GET_SIZE(self->buf)) { if (resize_buffer(self, endpos) < 0) return -1; } I see now that our casting was extraneous. As for the macro, it was suspected that

[issue24989] scan_eol() Buffer Over-read

Changes by Serhiy Storchaka : -- assignee: -> serhiy.storchaka priority: normal -> high versions: +Python 3.6 ___ Python tracker