[issue23368] integer overflow in _PyUnicode_AsKind
paul
report at bugs.python.org
Sun Feb 1 14:58:39 CET 2015
New submission from paul:
# Bug
# ---
#
# void*
# _PyUnicode_AsKind(PyObject *s, unsigned int kind)
# {
# Py_ssize_t len;
# ...
# len = PyUnicode_GET_LENGTH(s);
# ...
# switch (kind) {
# ...
# case PyUnicode_4BYTE_KIND:
# 1 result = PyMem_Malloc(len * sizeof(Py_UCS4));
# ...
# else {
# assert(skind == PyUnicode_1BYTE_KIND);
# 2 _PyUnicode_CONVERT_BYTES(
# Py_UCS1, Py_UCS4,
# PyUnicode_1BYTE_DATA(s),
# PyUnicode_1BYTE_DATA(s) + len,
# result);
# }
#
# 1. len equals 2^30, so len*sizeof(Py_UCS4)=2^30*2^2=2^32, which gets casted
# down to 0, since PyMem_Malloc takes size_t as the parameter. Resulting buffer
# is 0 bytes big.
# 2. chars from the source string s (which are 1 byte long) are expanded to 4
# bytes and copied to the 'result' buffer, which is too small to hold them all
#
# Stack trace
# -----------
#
# Breakpoint 2, _PyUnicode_AsKind (
# s='a...', kind=4) at Objects/unicodeobject.c:2176
# 2176 if (PyUnicode_READY(s) == -1)
# (gdb) n
# 2179 len = PyUnicode_GET_LENGTH(s);
# (gdb) n
# 2180 skind = PyUnicode_KIND(s);
# (gdb) n
# 2181 if (skind >= kind) {
# (gdb) n
# 2185 switch (kind) {
# (gdb) n
# 2198 result = PyMem_Malloc(len * sizeof(Py_UCS4));
# (gdb) print len
# $10 = 1073741824
# (gdb) print skind
# $11 = 1
# (gdb) print kind
# $12 = 4
# (gdb) print len*4
# $13 = 0
# (gdb) c
# Continuing.
#
# Program received signal SIGSEGV, Segmentation fault.
# 0x08130b56 in _PyUnicode_AsKind (
# s='a...', kind=4) at Objects/unicodeobject.c:2210
# 2210 _PyUnicode_CONVERT_BYTES(
#
# OS info
# -------
#
# % ./python -V
# Python 3.4.1
#
# % uname -a
# Linux ubuntu 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 15:31:16 UTC 2013 i686 i686 i386 GNU/Linux
#
# POC
# ---
txt=b"\x0a\x0a\x0a\x00"
uni=txt.decode("utf-32")
sub="a"*(2**30)
uni.count(sub)
----------
files: poc_askind.py
messages: 235176
nosy: pkt
priority: normal
severity: normal
status: open
title: integer overflow in _PyUnicode_AsKind
type: crash
versions: Python 3.4
Added file: http://bugs.python.org/file37967/poc_askind.py
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue23368>
_______________________________________
More information about the Python-bugs-list
mailing list