[issue2586] Integer signedness bugs in zlib modules
David Remahl [EMAIL PROTECTED] added the comment: I submit that a check for negative values (non-assert-based) should be added to PyString_FromStringAndSize(). This API is called from many, many places, and in several cases the operand could probably be negative. It should raise an overflow exception for a negative value. -- nosy: +chmod007 __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
Alexander Belopolsky [EMAIL PROTECTED] added the comment: On Thu, Apr 10, 2008 at 1:17 PM, David Remahl [EMAIL PROTECTED] wrote: I submit that a check for negative values (non-assert-based) should be added to PyString_FromStringAndSize(). See issue2587 and r62262. __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
New submission from Justin Ferguson [EMAIL PROTECTED]: The zlib module in multiple places fails to adequately check the sanity of its arguments resulting in memory corruption, please see two attached PoCs. -- components: Extension Modules files: python-2.5.2-zlib-unflush-misallocation.py messages: 65171 nosy: jnferguson severity: normal status: open title: Integer signedness bugs in zlib modules type: security versions: Python 2.5 Added file: http://bugs.python.org/file9983/python-2.5.2-zlib-unflush-misallocation.py __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
Changes by Justin Ferguson [EMAIL PROTECTED]: Added file: http://bugs.python.org/file9984/python-2.5.2-zlib-unflush-signedness.py __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
Justin Ferguson [EMAIL PROTECTED] added the comment: Just so you know, the scripts actually do two different things-- the bugs are both related to negative values though. One causes PyString_FromStringAndSize() to try an allocate zero bytes (the -24 one), the other causes like 22 bytes to get allocated and then takes advantage of the sign-conversion when the value is assigned to the zlib structure member (the member is unsigned, the value is signed) Honestly, you guys should consider enforcing the safe downcast usage because signedness issues are all over your code base (as I'm sure you know) __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
Alexander Belopolsky [EMAIL PROTECTED] added the comment: This has just been fixed in the trunk: r62235. -- nosy: +belopolsky __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue2586] Integer signedness bugs in zlib modules
Raymond Hettinger [EMAIL PROTECTED] added the comment: Thx -- resolution: - fixed status: open - closed __ Tracker [EMAIL PROTECTED] http://bugs.python.org/issue2586 __ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com