[issue12287] ossaudiodev: stack corruption with FD >= FD_SETSIZE
Antoine Pitrou
report at bugs.python.org
Wed Jun 8 22:43:57 CEST 2011
Antoine Pitrou <pitrou at free.fr> added the comment:
> ossaudiodev's writeall method doesn't check that the FD is less than
> FD_SETSIZE when passing it to FD_SET: since FD_SET typically doesn't
> do bound check, it will write to a random location in memory (in this
> case on the stack).
> I've attached a test that triggers a segfault on my 32-bit Linux box:
> - you must have an OSS-compatible device as /dev/dsp (if you don't you
> can use "modprobe snd_pcm_oss")
> - it tries to increase RLIMIT_NOFILE since it's usually defined to be
> the same as FD_SETSIZE (1024 on Linux). The script must be run as root
> for that.
> A patch is attached.
Well, the test doesn't work here ("IOError: [Errno 16] Device or
resource busy: '/dev/dsp'", probably because of PulseAudio already using
it), but the patch looks simple enough.
By the way, this function still uses "y#" instead of "y*", this could be
the topic of another issue if you are interested.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue12287>
_______________________________________
More information about the Python-bugs-list
mailing list