[Python-Dev] Fuzzing bugs: most bugs are closed

Victor Stinner victor.stinner at haypocalc.com
Sat Jul 19 13:23:12 CEST 2008 

Hi,

I filled 14 issues about bugs found by fuzzing (see my other email "Play with 
fuzzing" for more informations). Most bugs are now closed, cool :-) Last 
bugs:


== Trivial open bugs ==

segfault on locale.gettext(None)
- http://bugs.python.org/issue3302
- attached patch is trivial: fix the PyArg_ParseTuple() to block None value,
  and reject empty domain string for bindtextdomain() (to avoid strange 
  error "OSError(0): success")

invalid ref count on locale.strcoll() error
- http://bugs.python.org/issue3303
- attached patch is trivial: add "if (rel1)"

_multiprocessing.Connection() doesn't check handle
- http://bugs.python.org/issue3321
- _multiprocessing.Connection(fd) doesn't check that fd is a valid file handle
  and so may crash on poll (the "evil" FD_SET() call)
- my patch add "|| fstat(handle, &statbuf)" to make sure that the 
  file descriptor is valid


== Complex open bugs ==

block operation on closed socket/pipe for multiprocessing
- http://bugs.python.org/issue3311
- close() method sets the file handle to -1 but most methods don't check 
  the handle and so may fail or crash. Especially poll() calls
  FD_SET((SOCKET)conn->handle, &rfds); with handle=-1 => crash.
- my patch creates a new MP error: "return MP_CLOSED_FILE;", used if handle 
  is INVALID_HANDLE_VALUE to block operations (send, receive, poll) on 
  closed files for socket and pipe.

bugs in scanstring_str() and scanstring_unicode() of _json module
- http://bugs.python.org/issue3322
- scanstring() function crashs if second argument is a big negative 
  integer. There is no attached patch because I don't understand this 
  function enough to fix it correctly, but I suggest to raise a ValueError
  if end is too small/big

invalid object destruction in re.finditer()
- or "PyObject_DEL inconsistency if pydebug option is used"
- http://bugs.python.org/issue3299
- It's the most complex bug, I prefer to write a new email :-)


== Need backport / port to python 3.0 ==

invalid call to PyMem_Free() in fileio_init()
- http://bugs.python.org/issue3304
- patch applied in Python 2.6 (trunk) but not in Python 3000:
  "i'm assuming that'll be merged into py3k automagically."
  wrote Gregory P. Smith

missing lock release in BZ2File_iternext()
- http://bugs.python.org/issue3309
- patch applied in Python 2.6 but "Needs backporting to release25-maint."
  wrote Gregory P. Smith


When all bugs will be closed, I will restart a fuzzing Python ;-) But I also 
tried with my patches and I was unable to find new bugs, great!

Victor

More information about the Python-Dev mailing list