[issue15930] buffer overrun in wcstombs_errorpos()
New submission from Christian Heimes: Coverity has found a buffer overrun in wcstombs_errorpos() defined at http://hg.python.org/cpython/file/25e41fdc4e60/Objects/unicodeobject.c#l3237 Message: CID 719672: Out-of-bounds access (OVERRUN)At (2): Overrunning array buf of 2 4-byte elements by passing it to a function which accesses it at element index 15 (byte offset 60) using argument 16UL. On a 64bit Linux system SIZE_OF_WCHAR_T is 4 and MB_LEN_MAX 16. In this constellation buf is 8 bytes long (wchar_t[2]) but outbuf has a size of 16 bytes. This causes a buffer overrun in wcstombs(outbuf, buf, sizeof(outbuf)). -- keywords: 3.3regression messages: 170373 nosy: christian.heimes, haypo priority: normal severity: normal status: open title: buffer overrun in wcstombs_errorpos() type: resource usage versions: Python 3.3 ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15930 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15930] buffer overrun in wcstombs_errorpos()
Christian Heimes added the comment: Georg, this issue might be security relevant and should be reviewed before the next release. -- nosy: +georg.brandl ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15930 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15930] buffer overrun in wcstombs_errorpos()
Stefan Krah added the comment: buf[1] contains NUL if SIZE_OF_WCHAR_T is 4. The man page says: size_t wcstombs(char *dest, const wchar_t *src, size_t n) The conversion can stop for three reasons: 3. The wide-character string has been completely converted, including the terminating L'\0'. In this case the conversion ends in the initial state. The number of bytes written to dest, exclud- ing the terminating '\0' byte, is returned. To me this sounds like there cannot be an invalid write. -- nosy: +skrah ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15930 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15930] buffer overrun in wcstombs_errorpos()
Stefan Krah added the comment: I'm convinced that this is a false positive: size_t wcstombs(char *dest, const wchar_t *src, size_t n); We have: 1) buf[0] = *wstr and buf[1] = 0. So: 2) wcstombs(NULL, buf, 0) = 4. Then the man page says: ... the programmer should make sure n is greater or equal to wcstombs(NULL,src,0)+1. In this case, wcstombs(NULL, buf, 0) + 1 = 5 and we call: wcstombs(char *dest, const wchar_t *src, 16); -- ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15930 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue15930] buffer overrun in wcstombs_errorpos()
Christian Heimes added the comment: Stefan, I agree with your analysis. With the terminating null wide char wcstombs will never read beyond the end of buf. -- resolution: - invalid status: open - closed ___ Python tracker rep...@bugs.python.org http://bugs.python.org/issue15930 ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com