New submission from Jordy Zomer <jo...@simplyhacker.com>:
Hi, There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c. The buffer overflow happens due to not checking the length of th sprintf() function on line: case 'd': sprintf(buffer, "<cparam '%c' (%f)>", self->tag, self->value.d); break; Because we control self->value.d we could make it copy _extreme_ values. For example we could make it copy 1e300 which would be a 1 with 300 zero's to overflow the buffer. This could potentially cause RCE when a user allows untrusted input in these functions. A minimal PoC: >>> from ctypes import * >>> c_double.from_param(1e300) *** buffer overflow detected ***: terminated Aborted I recommend __always__ controlling how much you copy so I'd use snprintf with a size argument instead. Best Regards, Jordy Zomer ---------- components: ctypes messages: 385136 nosy: JordyZomer priority: normal severity: normal status: open title: ctypes double representation BoF type: security versions: Python 3.10 _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue42938> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com