New submission from Jordy Zomer <[email protected]>:
Hi,
There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.
The buffer overflow happens due to not checking the length of th sprintf()
function on line:
case 'd':
sprintf(buffer, "<cparam '%c' (%f)>",
self->tag, self->value.d);
break;
Because we control self->value.d we could make it copy _extreme_ values. For
example we could make it copy 1e300 which would be a 1 with 300 zero's to
overflow the buffer.
This could potentially cause RCE when a user allows untrusted input in these
functions.
A minimal PoC:
>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted
I recommend __always__ controlling how much you copy so I'd use snprintf with a
size argument instead.
Best Regards,
Jordy Zomer
----------
components: ctypes
messages: 385136
nosy: JordyZomer
priority: normal
severity: normal
status: open
title: ctypes double representation BoF
type: security
versions: Python 3.10
_______________________________________
Python tracker <[email protected]>
<https://bugs.python.org/issue42938>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
