[New-bugs-announce] [issue12287] ossaudiodev: stack corruption with FD >= FD_SETSIZE
report at bugs.python.org
Wed Jun 8 22:37:15 CEST 2011
New submission from Charles-François Natali <neologix at free.fr>:
ossaudiodev's writeall method doesn't check that the FD is less than FD_SETSIZE when passing it to FD_SET: since FD_SET typically doesn't do bound check, it will write to a random location in memory (in this case on the stack).
I've attached a test that triggers a segfault on my 32-bit Linux box:
- you must have an OSS-compatible device as /dev/dsp (if you don't you can use "modprobe snd_pcm_oss")
- it tries to increase RLIMIT_NOFILE since it's usually defined to be the same as FD_SETSIZE (1024 on Linux). The script must be run as root for that.
A patch is attached.
The only other place where I've seen a similar problem is in Module/readline.c: I'm not sure it's worth adding this check there :-)
components: Library (Lib)
keywords: needs review, patch
nosy: haypo, neologix, pitrou
stage: patch review
title: ossaudiodev: stack corruption with FD >= FD_SETSIZE
versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
Added file: http://bugs.python.org/file22284/oss_select.diff
Python tracker <report at bugs.python.org>
More information about the New-bugs-announce