New submission from Justin Ferguson <[EMAIL PROTECTED]>: The S_unpack_from() function in Modules/_struct.c does not adequately validate its arguments, potentially causing an out-of-bounds read access. It should be noted that the check at line 1561 is inadequate for obscene values of offset. Finally, because they're not really important and I really don't want to type them all up-- you guys might want to go through your code-- especially the modules and look for constructs where an empty string will cause memory to be uninitialized-- look at the audioop module for examples of what I mean-- the only thing that actually saved you guys from overflows there was that the loops you write with use the same variable.
1533 static PyObject * 1534 s_unpack_from(PyObject *self, PyObject *args, PyObject *kwds) 1535 { 1536 static char *kwlist[] = {"buffer", "offset", 0}; 1537 #if (PY_VERSION_HEX < 0x02050000) 1538 static char *fmt = "z#|i:unpack_from"; 1539 #else 1540 static char *fmt = "z#|n:unpack_from"; 1541 #endif 1542 Py_ssize_t buffer_len = 0, offset = 0; [...] 1547 1548 if (!PyArg_ParseTupleAndKeywords(args, kwds, fmt, kwlist, 1549 &buffer, &buffer_len, &offset)) 1550 return NULL; [...] 1558 if (offset < 0) 1559 offset += buffer_len; 1560 1561 if (offset < 0 || (buffer_len - offset) < soself->s_size) { [...] 1566 } 1567 return s_unpack_internal(soself, buffer + offset); 1568 } ---------- components: Extension Modules messages: 65178 nosy: jnferguson severity: normal status: open title: S_unpack_from() Read Access Violation type: security versions: Python 2.5 __________________________________ Tracker <[EMAIL PROTECTED]> <http://bugs.python.org/issue2590> __________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com