[issue42938] ctypes double representation BoF

Jordy Zomer Sat, 16 Jan 2021 00:03:46 -0800


New submission from Jordy Zomer <jo...@simplyhacker.com>:


Hi, 

There's a buffer overflow in the PyCArg_repr() function in _ctypes/callproc.c.

The buffer overflow happens due to not checking the length of th sprintf() 
function on line: 

    case 'd':
        sprintf(buffer, "<cparam '%c' (%f)>",
            self->tag, self->value.d);
        break;

Because we control self->value.d we could make it copy _extreme_ values. For 
example we could make it copy 1e300 which would be a 1 with 300 zero's  to 
overflow the buffer.

This could potentially cause RCE when a user allows untrusted input in these 
functions.

A minimal PoC:

>>> from ctypes import *
>>> c_double.from_param(1e300)
*** buffer overflow detected ***: terminated
Aborted


I recommend __always__ controlling how much you copy so I'd use snprintf with a 
size argument instead.

Best Regards,

Jordy Zomer

----------
components: ctypes
messages: 385136
nosy: JordyZomer
priority: normal
severity: normal
status: open
title: ctypes double representation BoF
type: security
versions: Python 3.10

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue42938>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue42938] ctypes double representation BoF

Reply via email to