[issue2587] PyString_FromStringAndSize() to be considered unsane
New submission from Justin Ferguson [EMAIL PROTECTED]: The PyString_FromStringAndSize() function takes a pointer and signed integer as input parameters however it fails to adequately check the sanity of the integer argument. Because of the failure to check for negative values and because it sums the integer with the size of the PyStringObject structure it becomes possible for the allocator to take either of the code paths in PyObject_MALLOC()-- both of which will incorrectly allocate memory. This may not seem like a big deal, but I'm posting this instead of filing a bug for every place this screws you guys over. if (0 len || len PYSSIZE_T_MAX/sizeof(PyStringObject)) return NULL; -- components: Interpreter Core messages: 65172 nosy: jnferguson severity: normal status: open title: PyString_FromStringAndSize() to be considered unsane type: security versions: Python 2.5 __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2587 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2587] PyString_FromStringAndSize() to be considered unsane
Amaury Forgeot d'Arc [EMAIL PROTECTED] added the comment: This is done already: the second line in PyString_FromStringAndSize() is assert(size=0); You have to build python in debug mode though... Oh, I realize this is not a real patch: no error is raised, and why PYSSIZE_T_MAX/sizeof(PyStringObject), when the allocation is PyObject_MALLOC(sizeof(PyStringObject)+size)? -- nosy: +amaury.forgeotdarc __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2587 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2587] PyString_FromStringAndSize() to be considered unsane
Justin Ferguson [EMAIL PROTECTED] added the comment: The problem with assert()'s is they require debugging to be enabled, obviously, who compiles it that way? You may not even want to worry about the second check, when you pass it into the allocator it gets converted to an unsigned int which will cause the allocator to either fail (32-bit) or allocate more memory than expected-- either cause it handled/benign. If you'd prefer I can file every place where this actually bites you guys, I was just trying to be nice. __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2587 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2587] PyString_FromStringAndSize() to be considered unsane
Justin Ferguson [EMAIL PROTECTED] added the comment: Adding a poc from 2586 to demonstrate my point, this causes a call to the allocator requesting zero bytes. Added file: http://bugs.python.org/file9985/python-2.5.2-zlib-unflush-misallocation.py __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2587 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2587] PyString_FromStringAndSize() to be considered unsane
Justin Ferguson [EMAIL PROTECTED] added the comment: As an addemdum, consider the following code (theres no assert, but it wouldnt have helped you outside of debug builds anyways): 488 static PyObject *PySSL_SSLread(PySSLObject *self, PyObject *args) 489 { 490 PyObject *buf; 491 int count = 0; 492 int len = 1024; [...] 496 if (!PyArg_ParseTuple(args, |i:read, len)) 497 return NULL; 498 499 if (!(buf = PyString_FromStringAndSize((char *) 0, len))) 500 return NULL; [...] 521 count = SSL_read(self-ssl, PyString_AsString(buf), len); __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2587 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com