[issue27254] heap overflow in Tkinter module

Emin Ghuliev report at bugs.python.org
Wed Jun 8 10:45:49 EDT 2016 

Emin Ghuliev added the comment:

psuedocode

<+16>:	movsxd rdx,DWORD PTR [rbx+0x8]
<+20>:	lea    eax,[rdx+rbp*1]

newSize = length ($rdx) + dsPtr->length ($rbp)
gdb > print /x $rbp
$5 = 0xfffff
gdb > print /x $rdx
$6 = 0x100000

newsize = 0xfffff+0x100000 = 0x1fffff

<Tcl_DStringAppend+23>  cmp    eax,DWORD PTR [rbx+0xc] 		 ← $pc
<Tcl_DStringAppend+26>  jl     0x7ffff6194e38 <Tcl_DStringAppend+104>

newSize ($eax) >= dsPtr->spaceAvl

gdb > print /x $eax
$7 = 0x1fffff

gdb > x/x $rbx+0xc
0x7fffffffd0cc:	0x001ffffe

condition: 0x1fffff >= 0x001ffffe = True

	if (newSize >= dsPtr->spaceAvl) {
		<Tcl_DStringAppend+31>  lea    esi,[rax+rax*1] ; magic compiler optimization :) (newSize(0x1fffff)*2)
		/*							*/
		dsPtr->spaceAvl = newSize * 2;
		gdb > print /x $rax
		$4 = 0x1fffff
		$esi = 0x1fffff+0x1fffff (newSize(0x1fffff)*2) = 0x3ffffe
		/*							*/
		
		=> <+34>:	lea    rax,[rbx+0x10]
		   <+38>:	mov    DWORD PTR [rbx+0xc],esi
		   <+41>:	cmp    rdi,rax ; $rax = dsPtr->staticSpace and $rdi = dsPtr->string
		   <+44>:	je     0x7ffff6194e50 <Tcl_DStringAppend+128>
		
		condition : dsPtr->string == dsPtr->staticSpace = False then jump to '<Tcl_DStringAppend+46>  call   0x7ffff60c2040 <Tcl_Realloc>'

	        if (dsPtr->string == dsPtr->staticSpace) {	          
			char *newString = ckalloc(dsPtr->spaceAvl);
            		memcpy(newString, dsPtr->string, (size_t) dsPtr->length);
			dsPtr->string = newString;
		} 
		else {
			<Tcl_DStringAppend+46>  call   0x7ffff60c2040 <Tcl_Realloc>
			$rsi = 0x3ffffe
			$rdi = 0x7ffff333e020
			dsPtr->string = ckrealloc(dsPtr->string = 0x7ffff333e020, dsPtr->spaceAvl = 0x3ffffe);
		}
	}


disassemble: 
		 <Tcl_DStringAppend+58>  lea    rdi,[rax+rdx*1] 	; dsPtr->string + dsPtr->length
		 <Tcl_DStringAppend+62>  mov    rsi,r12			; bytes
		 <Tcl_DStringAppend+65>  movsxd rdx,ebp			; length
		 <Tcl_DStringAppend+68>  call   0x7ffff60a25c0 <memcpy at plt>
		 memcpy(dsPtr->string + dsPtr->length, bytes, length);

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27254>
_______________________________________

More information about the Python-bugs-list mailing list