subject:"\[issue3322\] bugs in scanstring_str\(\) and scanstring_unicode\(\) of

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-08 Thread STINNER Victor


New submission from STINNER Victor <[EMAIL PROTECTED]>:

scanstring_str() and scanstring_unicode() functions don't end value 
whereas it can be outside input string range. A check like this is 
needed:
if (end < 0 || len <= end) {
PyErr_SetString(PyExc_ValueError, "xxx");
return NULL;
}

next is set to begin but few lines later (before first use of next), 
it's set to end: for (next = end; ...). 

In error message, eg. "Invalid control character at (...)", begin is 
used as character position but I think that the right position is in 
the variable "end" (or maybe "next"?).

I'm unable to fix these functions because I don't understand the code.

--
components: Library (Lib)
messages: 69447
nosy: haypo
severity: normal
status: open
title: bugs in scanstring_str() and scanstring_unicode() of _json module
type: crash
versions: Python 2.6

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread STINNER Victor


STINNER Victor <[EMAIL PROTECTED]> added the comment:

To reproduce the crash, try very big negative integer as second 
argument. Example:

>>> _json.scanstring("test", -23492394)
Erreur de segmentation (core dumped)

>>> _json.scanstring(u"test", -1239239)
Erreur de segmentation (core dumped)

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread Georg Brandl


Georg Brandl <[EMAIL PROTECTED]> added the comment:

Bob, do you know how to fix this?

--
assignee:  -> bob.ippolito
nosy: +bob.ippolito, georg.brandl

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread STINNER Victor


STINNER Victor <[EMAIL PROTECTED]> added the comment:

I wrote that I'm unable to fix the bug correctly, but I wrote a patch 
to avoid the crash:
- replace begin by end in error messages: is it correct?
- use "end < 0 || len <= end" test to check scanstring() second 
argument => raise a ValueError if end value is invalid

--
keywords: +patch
Added file: http://bugs.python.org/file10947/_json.patch

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread Bob Ippolito


Bob Ippolito <[EMAIL PROTECTED]> added the comment:

Am I to understand that the bug here is that the C extension doesn't
validate input properly if you call into it directly? Without a test I'm
not entirely sure exactly how you could possibly get negative values
into those functions using the json module as-is.

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread Bob Ippolito


Bob Ippolito <[EMAIL PROTECTED]> added the comment:

I've audited the patch, while it does fix the input range it looks like
it regresses other things (at least the error messages). "begin" was
intentionally used. The patch is not suitable for use, I'll create a
minimal patch that just fixes input validation.

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-19 Thread Bob Ippolito


Bob Ippolito <[EMAIL PROTECTED]> added the comment:

I just committed a fix to trunk in r65147, needs port to py3k?

--
assignee: bob.ippolito -> georg.brandl

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

2008-07-20 Thread Georg Brandl


Georg Brandl <[EMAIL PROTECTED]> added the comment:

Was merged in r65148.

--
resolution:  -> fixed
status: open -> closed

___
Python tracker <[EMAIL PROTECTED]>

___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

[issue3322] bugs in scanstring_str() and scanstring_unicode() of _json module

8 matches

Site Navigation

Mail list logo

Footer information