[New-bugs-announce] [issue23362] integer overflow in string translate
paul
report at bugs.python.org
Sun Feb 1 14:53:20 CET 2015
New submission from paul:
# Bug
# ---
#
# PyObject *
# _PyUnicode_TranslateCharmap(PyObject *input,
# PyObject *mapping,
# const char *errors)
# {
# ...
# size = PyUnicode_GET_LENGTH(input);
# ...
# osize = size;
# 1 output = PyMem_Malloc(osize * sizeof(Py_UCS4));
#
# 1. Input size = 2^30, so osize*sizeof(Py_UCS4)=2^32==0 (modulo 2^32) and malloc
# allocates a 0 byte buffer
#
# Crash
# -----
#
# Breakpoint 2, _PyUnicode_TranslateCharmap (
# input='aa...', mapping={97: 'b'}, errors=0x828c82b "ignore") at Objects/unicodeobject.c:8597
# 8597 {
# ...
# 8636 output = PyMem_Malloc(osize * sizeof(Py_UCS4));
# (gdb) print osize
# $1 = 1073741824
# (gdb) print osize*4
# $2 = 0
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x0814aed2 in charmaptranslate_output (
# input='aa...', ipos=51302, mapping={97: 'b'}, output=0xbfc40860, osize=0xbfc40864, opos=0xbfc40868,
# res=0xbfc40874) at Objects/unicodeobject.c:8574
# 8574 (*output)[(*opos)++] = PyUnicode_READ_CHAR(*res, 0);
#
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
s="a"*(2**30)
s.translate({ord('a'): 'b'})
----------
files: poc_translate.py
messages: 235169
nosy: pkt
priority: normal
severity: normal
status: open
title: integer overflow in string translate
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file37961/poc_translate.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23362>
_______________________________________
More information about the New-bugs-announce
mailing list