New submission from paul: Crashes python 3.4.1.
# Objects\unicodeobject.c # # static PyObject * # case_operation(PyObject *self, # Py_ssize_t (*perform)(int, void *, Py_ssize_t, Py_UCS4 *, Py_UCS4 *)) # { # PyObject *res = NULL; # Py_ssize_t length, newlength = 0; # int kind, outkind; # (...) # 1 length = PyUnicode_GET_LENGTH(self); # 2 tmp = PyMem_MALLOC(sizeof(Py_UCS4) * 3 * length); # (...) # 3 newlength = perform(kind, data, length, tmp, &maxchar); # # 1. there are no safety checks # 2. 12*length overflows # 3. perform() writes to tmp buffer, which is too small to hold the result ---------- files: poc_case_op.py messages: 229455 nosy: pkt priority: normal severity: normal status: open title: Integer overflow in case_operation type: security versions: Python 3.4 Added file: http://bugs.python.org/file36941/poc_case_op.py _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue22643> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com