[New-bugs-announce] [issue12287] ossaudiodev: stack corruption with FD >= FD_SETSIZE

Charles-François Natali report at bugs.python.org
Wed Jun 8 22:37:15 CEST 2011

New submission from Charles-François Natali <neologix at free.fr>:

ossaudiodev's writeall method doesn't check that the FD is less than FD_SETSIZE when passing it to FD_SET: since FD_SET typically doesn't do bound check, it will write to a random location in memory (in this case on the stack).
I've attached a test that triggers a segfault on my 32-bit Linux box:
- you must have an OSS-compatible device as /dev/dsp (if you don't you can use "modprobe snd_pcm_oss")
- it tries to increase RLIMIT_NOFILE since it's usually defined to be the same as FD_SETSIZE (1024 on Linux). The script must be run as root for that.
A patch is attached.
The only other place where I've seen a similar problem is in Module/readline.c: I'm not sure it's worth adding this check there :-)

components: Library (Lib)
files: oss_select.diff
keywords: needs review, patch
messages: 137923
nosy: haypo, neologix, pitrou
priority: normal
severity: normal
stage: patch review
status: open
title: ossaudiodev: stack corruption with FD >= FD_SETSIZE
type: crash
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
Added file: http://bugs.python.org/file22284/oss_select.diff

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list