[issue27254] heap overflow in Tkinter module

Emin Ghuliev added the comment: psuedocode <+16>: movsxd rdx,DWORD PTR [rbx+0x8] <+20>: leaeax,[rdx+rbp*1] newSize = length ($rdx) + dsPtr->length ($rbp) gdb > print /x $rbp $5 = 0xf gdb > print /x $rdx $6 = 0x10 newsize = 0xf+0x10 = 0x1f cmp

[issue27254] heap overflow in Tkinter module

Emin Ghuliev added the comment: the appropriate size should be chosen I) -- ___ Python tracker ___ ___

[issue27254] heap overflow in Tkinter module

Serhiy Storchaka added the comment: What size is safe for className? -- ___ Python tracker ___ ___

[issue27254] heap overflow in Tkinter module

Emin Ghuliev added the comment: Yeah you're right but Python doesn't check the classname length. Therefore then heap overflow occurred in the Tcl. -- ___ Python tracker

[issue27254] heap overflow in Tkinter module

Serhiy Storchaka added the comment: Minimal reproducer: from tkinter import Tk Tk(className='A'*0xf) This looks as Tcl/Tk problem. -- nosy: +serhiy.storchaka type: security -> crash versions: +Python 3.5, Python 3.6 -Python 3.3, Python 3.4 ___

[issue27254] heap overflow in Tkinter module

New submission from Emin Ghuliev: /* This is used to get the application class for Tk 4.1 and up */ argv0 = (char*)attemptckalloc(strlen(className) + 1); //<=== classname allocated if (!argv0) { PyErr_NoMemory(); Py_DECREF(v); return NULL; }