[New-bugs-announce] [issue2590] S_unpack_from() Read Access Violation
Justin Ferguson
report at bugs.python.org
Tue Apr 8 18:09:34 CEST 2008
New submission from Justin Ferguson <justin.ferguson at ioactive.com>:
The S_unpack_from() function in Modules/_struct.c does not adequately
validate its arguments, potentially causing an out-of-bounds read
access. It should be noted that the check at line 1561 is inadequate for
obscene values of offset. Finally, because they're not really important
and I really don't want to type them all up-- you guys might want to go
through your code-- especially the modules and look for constructs where
an empty string will cause memory to be uninitialized-- look at the
audioop module for examples of what I mean-- the only thing that
actually saved you guys from overflows there was that the loops you
write with use the same variable.
1533 static PyObject *
1534 s_unpack_from(PyObject *self, PyObject *args, PyObject *kwds)
1535 {
1536 static char *kwlist[] = {"buffer", "offset", 0};
1537 #if (PY_VERSION_HEX < 0x02050000)
1538 static char *fmt = "z#|i:unpack_from";
1539 #else
1540 static char *fmt = "z#|n:unpack_from";
1541 #endif
1542 Py_ssize_t buffer_len = 0, offset = 0;
[...]
1547
1548 if (!PyArg_ParseTupleAndKeywords(args, kwds, fmt, kwlist,
1549 &buffer, &buffer_len,
&offset))
1550 return NULL;
[...]
1558 if (offset < 0)
1559 offset += buffer_len;
1560
1561 if (offset < 0 || (buffer_len - offset) < soself->s_size) {
[...]
1566 }
1567 return s_unpack_internal(soself, buffer + offset);
1568 }
----------
components: Extension Modules
messages: 65178
nosy: jnferguson
severity: normal
status: open
title: S_unpack_from() Read Access Violation
type: security
versions: Python 2.5
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2590>
__________________________________
More information about the New-bugs-announce
mailing list