[issue27666] "stack smashing detected" in PyCursesWindow_Box

[Steve Fink]

New submission from Steve Fink:

When attempting to run |hg chistedit|, which uses the python curses module, I am getting *** stack smashing detected ***: /usr/bin/python terminated

The problem is in PyCursesWindow_Box in _cursesmodule.c:

        if (!PyArg_ParseTuple(args,"ll;vertint,horint", &ch1, &ch2))
            return NULL;

ch1 and ch2 are of type 'chtype', which is a 4-byte integer on my platform. (I am on a fresh install of Fedora 24 x86_64.) The format string 'l' is writing 8 bytes. It is hard to fit 8 bytes into a 4 byte variable.

I scanned through the rest of the file. Most places are very careful about this; if needed, they'll parse into a 'long' temporary and then assign. But here's another one in PyCurses_UngetMouse:

    MEVENT event;
    PyCursesInitialised;
    if (!PyArg_ParseTuple(args, "hiiil",
                          &event.id,
                          &event.x, &event.y, &event.z,
                          (int *) &event.bstate))
        return NULL;

event.bstate is of type mmask_t, which is also 4 bytes.

I did not find any more in that file.

% rpm -q python-libs
python-libs-2.7.12-1.fc24.x86_64

----------
components: Library (Lib)
messages: 271796
nosy: Steve Fink
priority: normal
severity: normal
status: open
title: "stack smashing detected" in PyCursesWindow_Box
type: crash
versions: Python 2.7

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27666>
_______________________________________