subject:"\[issue2588\] PyOS_vsnprintf\(\) underflow leads to memory corruption"

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2009-04-14 Thread Petr Splichal


Petr Splichal p...@gmail.com added the comment:

Justin, is there any reproducer available for this issue?
Thanks!

--
nosy: +psss

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2588
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-05-25 Thread Gregory P. Smith


Changes by Gregory P. Smith [EMAIL PROTECTED]:


--
assignee:  - gregory.p.smith
keywords: +patch
nosy: +gregory.p.smith
priority:  - normal

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-09 Thread Justin Ferguson


Justin Ferguson [EMAIL PROTECTED] added the comment:

Actually, I'm not sure things are any better today- even the same
operating system but different versions have inconsistencies, for
instance on some versions of RHEL the vsnprintf() can fail during
unicode conversion. MSVCRT still returns -1 on truncation, et cetera.

That said, theres plenty of other implementations that manage this
without the potential of underflowing a buffer

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-09 Thread Alexander Belopolsky


Alexander Belopolsky [EMAIL PROTECTED] added the comment:

On Wed, Apr 9, 2008 at 1:16 PM, Justin Ferguson [EMAIL PROTECTED] wrote:
..
  That said, theres plenty of other implementations that manage this
  without the potential of underflowing a buffer


Do you have in mind something like the following?

===
--- Python/mysnprintf.c (revision 62211)
+++ Python/mysnprintf.c (working copy)
@@ -88,6 +88,7 @@
PyMem_FREE(buffer);
 Done:
 #endif
-   str[size-1] = '\0';
+   if (size  0)
+   str[size-1] = '\0';
return len;
 }

I would be +0 on such change.

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-09 Thread Justin Ferguson


Justin Ferguson [EMAIL PROTECTED] added the comment:

Yep, that works for me.

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Justin Ferguson


New submission from Justin Ferguson [EMAIL PROTECTED]:

The PyOS_vsnprintf() contains the caveat that the length parameter
cannot be zero, however this is only enforced via assert() which is
compiled out. As a result if the length parameter is zero then the
function will underflow and write a null byte to invalid memory.

 53 int
 54 PyOS_vsnprintf(char *str, size_t size, const char  *format, va_list va)
 55 {
 56 int len;  /* # bytes written, excluding \0 */
 57 #ifndef HAVE_SNPRINTF
 58 char *buffer;
 59 #endif
 60 assert(str != NULL);
 61 assert(size  0);
 62 assert(format != NULL);
 [...]
 65 len = vsnprintf(str, size, format, va);
 [...]
 91 str[size-1] = '\0';
 92 return len;
 93 }

--
components: Distutils
messages: 65174
nosy: jnferguson
severity: normal
status: open
title: PyOS_vsnprintf() underflow leads to memory corruption
type: security
versions: Python 2.5

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Justin Ferguson


Changes by Justin Ferguson [EMAIL PROTECTED]:


--
components: +Interpreter Core -Distutils

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Amaury Forgeot d'Arc


Amaury Forgeot d'Arc [EMAIL PROTECTED] added the comment:

I think that programming errors against the python API are best checked
with asserts: I develop in development mode (with asserts enabled), then
I want my released program to run at full speed.

Other thoughts?

--
nosy: +amaury.forgeotdarc

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Justin Ferguson


Justin Ferguson [EMAIL PROTECTED] added the comment:

I can generally agree with that, and I admit I haven't verified all of
the code paths here- theres several hundred of them leading into this
function, are you positive all of them are safe? (seems like it would be
easier to just move the check into an if than sitting down and verifying
that all XXX hundred code paths are safe).

In the other bug, I have verified code paths into it, for instance test
the misallocation poc in 2586 as an example

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Alexander Belopolsky


Alexander Belopolsky [EMAIL PROTECTED] added the comment:

As long as snprintf is used with a fixed size buffer using an idiom

 snprintf(buffer, sizeof(buffer), ..)

there is no issue because sizeof(buffer) cannot be zero.  AFAICT, this 
is how python uses PyOS_vsnprintf wrapper.

On the other hand, may this is a good opportunity to revisit the 
decision to make  PyOS_vsnprintf semantics different from C99 vsnprintf.

C99 defines snprintf semantics as follows:

int snprintf(char *restrict s, size_t n,
   const char *restrict format, ...);

The snprintf() function shall be equivalent to sprintf(), with the 
addition of the n argument which states the size of the buffer referred 
to by s. If n is zero, nothing shall be written and s may be a null 
pointer. Otherwise, output bytes beyond the n-1st shall be discarded 
instead of being written to the array, and a null byte is written at the 
end of the bytes actually written into the array.

http://www.opengroup.org/onlinepubs/95399/functions/printf.html

--
nosy: +belopolsky

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Justin Ferguson


Justin Ferguson [EMAIL PROTECTED] added the comment:

I do agree with your point about snprintf(..., sizeof(x), ...)-- my
single biggest point (and maybe i'm just not seeing it), is that there
appears to be no good reason for having this caveat and in turn its
essentially just code waiting to break; with as commonly used of a
function as it is, it's really a matter of when and not so much if.

While no one seems to ever use it this way, don't forget that a good
alternative to asprintf() is calling sprintf() with a length of zero to
get the length (in compliant implementations), allocating the memory and
then calling it again.

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

2008-04-08 Thread Alexander Belopolsky


Alexander Belopolsky [EMAIL PROTECTED] added the comment:

On Tue, Apr 8, 2008 at 9:21 PM, Justin Ferguson [EMAIL PROTECTED] wrote:

 ..
  While no one seems to ever use it this way, don't forget that a good
  alternative to asprintf() is calling sprintf() with a length of zero to
  get the length (in compliant implementations), allocating the memory and
  then calling it again.

Remember that PyOS_vsnprintf was introduced back in 2001 when
(according to the comments in the file) not all platforms provided c99
compliant implementations.  If you can verify that the situation has
changes for the supported platforms, I think you will have a good case
for making the wrapper c99 compliant.

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2588
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

[issue2588] PyOS_vsnprintf() underflow leads to memory corruption

12 matches

Site Navigation

Mail list logo

Footer information