[Python-bugs-list] [ python-Bugs-494738 ] binascii_b2a_base64 overwrites memory

noreply@sourceforge.net noreply@sourceforge.net
Tue, 18 Dec 2001 20:44:41 -0800 

Bugs item #494738, was opened at 2001-12-18 11:55
You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=494738&group_id=5470

Category: Python Library
>Group: None
>Status: Closed
>Resolution: Fixed
Priority: 5
Submitted By: David Costanzo (david_costanzo)
>Assigned to: Tim Peters (tim_one)
Summary: binascii_b2a_base64 overwrites memory

Initial Comment:
I'm maintaining code that is based on the binascii.c 
found in Python-2.1.1/Modules directory (Python 2.1..  
The code has a memory bounds overwrite when encoding 
binascii_b2a_base64 for small chunks of binary data.

The bug in my code is that allocates an incorrect 
upper bound.  For each byte of binary data, it 
allocates two bytes for the ascii format.  It looks 
like it really needs four bytes of binary data for 
every three bytes of binary data, rounded up, plus one 
byte for the courtesy newline.  The analogous line of 
code in binascii.c is line 425.

As a test case, the ascii representation of the one 
byte binary string 'b' takes five characters 'Yg==\n', 
not twice the lenght of the original.  (There are two 
two bytes of signal, two pad bytes, and a courtesy 
newline.)  My code now uses ((bin_len + 2) / 3) * 4 + 
1) as the buffer length.

I ran Python 2.0 under a heap validator program called 
Purify and attempted to reproduce the memory 
overwrite, but I was unable to.  This probably means 
that this bug does not exist in Python.  I am 
submitting it as a bug anyway, in case Python is using 
a memory heap that confuses Purify.


----------------------------------------------------------------------

>Comment By: Tim Peters (tim_one)
Date: 2001-12-18 20:44

Message:
Logged In: YES 
user_id=31435

Good eye!  I agree the calculation is faulty for small 
inputs, and repaired it in

Misc/ACKS; new revision: 1.146
Modules/binascii.c; new revision: 2.33

We haven't seen this trigger under Purify either.  Offhand 
guess is that malloc rounds up to a multiple of 8 bytes 
regardless, and that hidden padding is enough to absorb the 
overwrite.

----------------------------------------------------------------------

You can respond by visiting: 
http://sourceforge.net/tracker/?func=detail&atid=105470&aid=494738&group_id=5470