New submission from Charles-François Natali <neolo...@free.fr>: ossaudiodev's writeall method doesn't check that the FD is less than FD_SETSIZE when passing it to FD_SET: since FD_SET typically doesn't do bound check, it will write to a random location in memory (in this case on the stack). I've attached a test that triggers a segfault on my 32-bit Linux box: - you must have an OSS-compatible device as /dev/dsp (if you don't you can use "modprobe snd_pcm_oss") - it tries to increase RLIMIT_NOFILE since it's usually defined to be the same as FD_SETSIZE (1024 on Linux). The script must be run as root for that. A patch is attached. The only other place where I've seen a similar problem is in Module/readline.c: I'm not sure it's worth adding this check there :-)
---------- components: Library (Lib) files: oss_select.diff keywords: needs review, patch messages: 137923 nosy: haypo, neologix, pitrou priority: normal severity: normal stage: patch review status: open title: ossaudiodev: stack corruption with FD >= FD_SETSIZE type: crash versions: Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3 Added file: http://bugs.python.org/file22284/oss_select.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue12287> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com