[issue27254] heap overflow in Tkinter module
Emin Ghuliev
report at bugs.python.org
Wed Jun 8 10:45:49 EDT 2016
Emin Ghuliev added the comment:
psuedocode
<+16>: movsxd rdx,DWORD PTR [rbx+0x8]
<+20>: lea eax,[rdx+rbp*1]
newSize = length ($rdx) + dsPtr->length ($rbp)
gdb > print /x $rbp
$5 = 0xfffff
gdb > print /x $rdx
$6 = 0x100000
newsize = 0xfffff+0x100000 = 0x1fffff
<Tcl_DStringAppend+23> cmp eax,DWORD PTR [rbx+0xc] ← $pc
<Tcl_DStringAppend+26> jl 0x7ffff6194e38 <Tcl_DStringAppend+104>
newSize ($eax) >= dsPtr->spaceAvl
gdb > print /x $eax
$7 = 0x1fffff
gdb > x/x $rbx+0xc
0x7fffffffd0cc: 0x001ffffe
condition: 0x1fffff >= 0x001ffffe = True
if (newSize >= dsPtr->spaceAvl) {
<Tcl_DStringAppend+31> lea esi,[rax+rax*1] ; magic compiler optimization :) (newSize(0x1fffff)*2)
/* */
dsPtr->spaceAvl = newSize * 2;
gdb > print /x $rax
$4 = 0x1fffff
$esi = 0x1fffff+0x1fffff (newSize(0x1fffff)*2) = 0x3ffffe
/* */
=> <+34>: lea rax,[rbx+0x10]
<+38>: mov DWORD PTR [rbx+0xc],esi
<+41>: cmp rdi,rax ; $rax = dsPtr->staticSpace and $rdi = dsPtr->string
<+44>: je 0x7ffff6194e50 <Tcl_DStringAppend+128>
condition : dsPtr->string == dsPtr->staticSpace = False then jump to '<Tcl_DStringAppend+46> call 0x7ffff60c2040 <Tcl_Realloc>'
if (dsPtr->string == dsPtr->staticSpace) {
char *newString = ckalloc(dsPtr->spaceAvl);
memcpy(newString, dsPtr->string, (size_t) dsPtr->length);
dsPtr->string = newString;
}
else {
<Tcl_DStringAppend+46> call 0x7ffff60c2040 <Tcl_Realloc>
$rsi = 0x3ffffe
$rdi = 0x7ffff333e020
dsPtr->string = ckrealloc(dsPtr->string = 0x7ffff333e020, dsPtr->spaceAvl = 0x3ffffe);
}
}
disassemble:
<Tcl_DStringAppend+58> lea rdi,[rax+rdx*1] ; dsPtr->string + dsPtr->length
<Tcl_DStringAppend+62> mov rsi,r12 ; bytes
<Tcl_DStringAppend+65> movsxd rdx,ebp ; length
<Tcl_DStringAppend+68> call 0x7ffff60a25c0 <memcpy at plt>
memcpy(dsPtr->string + dsPtr->length, bytes, length);
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue27254>
_______________________________________
More information about the Python-bugs-list
mailing list