bpo-34087: Fix buffer overflow in int(s) and similar functions #8274
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
_PyUnicode_TransformDecimalAndSpaceToASCII() missed trailing NUL char. It cause buffer overflow in _Py_string_to_number_with_underscores(). This bug is introduced in bpo-31979, 9b6c60c.
methane
added
type-bug
serhiy-storchaka
approved these changes
Jul 13, 2018
|
I added assert, but I haven't checked "make test" cause assertion failure
yet.
Now I left on my PC. Please wait a day.
2018年7月13日(金) 22:31 Serhiy Storchaka <[email protected]>:
… ***@***.**** approved this pull request.
Any chance of adding tests?
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#8274 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMLqFRu6P6cw1na4VdB7zmOOdSSpI19ks5uGKEXgaJpZM4VO3qA>
.
|
vstinner
reviewed
Jul 13, 2018
| @@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores( | |||
| char *dup, *end; | |||
| PyObject *result; | |||
|
|
|||
| assert(s[orig_len] == '\0'); | |||
There was a problem hiding this comment.
I'm not sure about this assertion. For performance, it would make sense to call _Py_string_to_number_with_underscores() on a sub-string which doesn't end with a NUL character. If you want to add an assertion, please do it at the caller site.
There was a problem hiding this comment.
This assertion is fine to me. _Py_string_to_number_with_underscores() is always called with a substring that end with a NUL character (if it doesn't end, we make a copy and call this function with it). And _Py_string_to_number_with_underscores() calls innerfunc() which expects a NUL terminated string.
There was a problem hiding this comment.
Oh, the following lines calls strchr() which expects that the string ends with a NUL byte.
In that case, should we also test that strlen(s) == orig_len to block embedded NUL byte?
There was a problem hiding this comment.
It is not needed. NUL byte in string is valid.
>>> len("\0\0\0")
3
vstinner
reviewed
Jul 13, 2018
| @@ -391,6 +391,8 @@ _Py_string_to_number_with_underscores( | |||
| char *dup, *end; | |||
| PyObject *result; | |||
|
|
|||
| assert(s[orig_len] == '\0'); | |||
There was a problem hiding this comment.
Oh, the following lines calls strchr() which expects that the string ends with a NUL byte.
In that case, should we also test that strlen(s) == orig_len to block embedded NUL byte?
| @@ -9072,6 +9072,7 @@ _PyUnicode_TransformDecimalAndSpaceToASCII(PyObject *unicode) | |||
| int decimal = Py_UNICODE_TODECIMAL(ch); | |||
| if (decimal < 0) { | |||
| out[i] = '?'; | |||
| out[i+1] = '\0'; | |||
| _PyUnicode_LENGTH(result) = i + 1; | |||
| break; | |||
| } | |||
There was a problem hiding this comment.
To debug other kinds of bugs, you can call "assert(_PyUnicode_CheckConsistency(unicode, 1));" just before "return result;". This function detects if the last character is not a NUL character, for example ;-)
vstinner
approved these changes
Jul 13, 2018
|
You might backport the new tests to 3.6 (it's up to you). |
|
Thanks @methane for the PR 🌮🎉.. I'm working now to backport this PR to: 3.7. |
|
GH-8279 is a backport of this pull request to the 3.7 branch. |
miss-islington
pushed a commit
to miss-islington/cpython
that referenced
this pull request
Jul 14, 2018
…nGH-8274) `_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char. It caused buffer overflow in `_Py_string_to_number_with_underscores()`. This bug is introduced in 9b6c60c. (cherry picked from commit 16dfca4) Co-authored-by: INADA Naoki <[email protected]>
miss-islington
added a commit
that referenced
this pull request
Jul 14, 2018
`_PyUnicode_TransformDecimalAndSpaceToASCII()` missed trailing NUL char. It caused buffer overflow in `_Py_string_to_number_with_underscores()`. This bug is introduced in 9b6c60c. (cherry picked from commit 16dfca4) Co-authored-by: INADA Naoki <[email protected]>
methane
added a commit
to methane/cpython
that referenced
this pull request
Jul 14, 2018
pythonGH-8276 fixed regression in 3.7. While the regression is not in 3.6, it's worth to backport test cases to 3.6 branch too.
methane
added a commit
that referenced
this pull request
Jul 14, 2018
CuriousLearner
added a commit
to CuriousLearner/cpython
that referenced
this pull request
Jul 14, 2018
* master: (2633 commits) bpo-34087: Fix buffer overflow in int(s) and similar functions (pythonGH-8274) bpo-34108: Fix double carriage return in 2to3 on Windows (python#8271) bpo-4260: Document that ctypes.xFUNCTYPE are decorators (pythonGH-7924) bpo-33723: Fix test_time.test_thread_time() (pythonGH-8267) bpo-33967: Remove use of deprecated assertRaisesRegexp() (pythonGH-8261) bpo-34080: Fix a memory leak in the compiler. (pythonGH-8222) Enable GUI testing on Travis Linux builds via Xvfb (pythonGH-7887) bpo-23927: Make getargs.c skipitem() skipping 'w*'. (pythonGH-8192) bpo-33648: Remove PY_WARN_ON_C_LOCALE (pythonGH-7114) bpo-34092, test_logging: increase SMTPHandlerTest timeout (pythonGH-8245) Simplify __all__ in multiprocessing (pythonGH-6856) bpo-34083: Update dict order in Functional HOWTO (pythonGH-8230) Doc: Point to Simple statements section instead of PEP (pythonGH-8238) bpo-29442: Replace optparse with argparse in setup.py (pythonGH-139) bpo-33597: Add What's New for PyGC_Head (pythonGH-8236) Dataclasses: Fix example on 30.6.8, add method should receive a list rather than an integer. (pythonGH-8038) Fix documentation for input and output tutorial (pythonGH-8231) bpo-34009: Expand on platform support changes (pythonGH-8022) Factor-out two substantially identical code blocks. (pythonGH-8219) bpo-34031: fix incorrect usage of self.fail in two tests (pythonGH-8091) ...
CuriousLearner
added a commit
to CuriousLearner/cpython
that referenced
this pull request
Jul 15, 2018
* master: (1159 commits) bpo-34087: Fix buffer overflow in int(s) and similar functions (pythonGH-8274) bpo-34108: Fix double carriage return in 2to3 on Windows (python#8271) bpo-4260: Document that ctypes.xFUNCTYPE are decorators (pythonGH-7924) bpo-33723: Fix test_time.test_thread_time() (pythonGH-8267) bpo-33967: Remove use of deprecated assertRaisesRegexp() (pythonGH-8261) bpo-34080: Fix a memory leak in the compiler. (pythonGH-8222) Enable GUI testing on Travis Linux builds via Xvfb (pythonGH-7887) bpo-23927: Make getargs.c skipitem() skipping 'w*'. (pythonGH-8192) bpo-33648: Remove PY_WARN_ON_C_LOCALE (pythonGH-7114) bpo-34092, test_logging: increase SMTPHandlerTest timeout (pythonGH-8245) Simplify __all__ in multiprocessing (pythonGH-6856) bpo-34083: Update dict order in Functional HOWTO (pythonGH-8230) Doc: Point to Simple statements section instead of PEP (pythonGH-8238) bpo-29442: Replace optparse with argparse in setup.py (pythonGH-139) bpo-33597: Add What's New for PyGC_Head (pythonGH-8236) Dataclasses: Fix example on 30.6.8, add method should receive a list rather than an integer. (pythonGH-8038) Fix documentation for input and output tutorial (pythonGH-8231) bpo-34009: Expand on platform support changes (pythonGH-8022) Factor-out two substantially identical code blocks. (pythonGH-8219) bpo-34031: fix incorrect usage of self.fail in two tests (pythonGH-8091) ...
CuriousLearner
added a commit
to CuriousLearner/cpython
that referenced
this pull request
Jul 21, 2018
…ssue-33014 * 'master' of github.com:CuriousLearner/cpython: (722 commits) bpo-34087: Fix buffer overflow in int(s) and similar functions (pythonGH-8274) bpo-34108: Fix double carriage return in 2to3 on Windows (python#8271) bpo-4260: Document that ctypes.xFUNCTYPE are decorators (pythonGH-7924) bpo-33723: Fix test_time.test_thread_time() (pythonGH-8267) bpo-33967: Remove use of deprecated assertRaisesRegexp() (pythonGH-8261) bpo-34080: Fix a memory leak in the compiler. (pythonGH-8222) Enable GUI testing on Travis Linux builds via Xvfb (pythonGH-7887) bpo-23927: Make getargs.c skipitem() skipping 'w*'. (pythonGH-8192) bpo-33648: Remove PY_WARN_ON_C_LOCALE (pythonGH-7114) bpo-34092, test_logging: increase SMTPHandlerTest timeout (pythonGH-8245) Simplify __all__ in multiprocessing (pythonGH-6856) bpo-34083: Update dict order in Functional HOWTO (pythonGH-8230) Doc: Point to Simple statements section instead of PEP (pythonGH-8238) bpo-29442: Replace optparse with argparse in setup.py (pythonGH-139) bpo-33597: Add What's New for PyGC_Head (pythonGH-8236) Dataclasses: Fix example on 30.6.8, add method should receive a list rather than an integer. (pythonGH-8038) Fix documentation for input and output tutorial (pythonGH-8231) bpo-34009: Expand on platform support changes (pythonGH-8022) Factor-out two substantially identical code blocks. (pythonGH-8219) bpo-34031: fix incorrect usage of self.fail in two tests (pythonGH-8091) ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
_PyUnicode_TransformDecimalAndSpaceToASCII()missed trailing NUL char.It cause buffer overflow in
_Py_string_to_number_with_underscores().This bug is introduced in bpo-31979, 9b6c60c.
https://bugs.python.org/issue34087