[Patches] [ python-Patches-665458 ] Crash in binascii_a2b_uu on corrupt data

SourceForge.net noreply@sourceforge.net
Thu, 16 Jan 2003 13:42:08 -0800 

Patches item #665458, was opened at 2003-01-09 21:44
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=665458&group_id=5470

Category: Library (Lib)
Group: None
Status: Open
Resolution: None
Priority: 5
Submitted By: Michael Scharf (scharf)
Assigned to: Nobody/Anonymous (nobody)
Summary: Crash in binascii_a2b_uu on corrupt data

Initial Comment:
When I unpacked 50 gigabytes of randomly downloaded 
usenet binary news posts python crashed (randomly) on 
windows. After long tracking (I did'nt have a debug 
version) I found the problem in binascii_a2b_uu:

When reading the input data, the boundaries of the input 
sting are not checked. With corrupted uuencoded data 
(the first bite gives the length of the encoded string), the 
function reads out of bounds of the input string. That is 
not a problem (in most cases) but sometimes (it 
happened typicallyafter 20-30 gibagytes of parsed data) 
the allocated string might be at the end of a 
memory 'segment' and there is no string after the 
allocated string. And that causes a crash.

I have attached a patch to solve the problem. (Python 
2.2.2)

Michael

----------------------------------------------------------------------

>Comment By: Neal Norwitz (nnorwitz)
Date: 2003-01-16 16:42

Message:
Logged In: YES 
user_id=33168

I agree there is a problem, although I'm concerned about
changing the behaviour.  Currently, if the data is short it
is, it is filled with null characters.  With this patch an
exception is raised.  Ideally, the patch is correct, but my
concern is that many people rely on the output being
null-filled.

I believe the following change around line 207, keeps the
behaviour and would avoid the crash:

-               this_ch = *ascii_data;
+               this_ch = (ascii_len > 0) ? *ascii_data : 0;


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=305470&aid=665458&group_id=5470