Movatterモバイル変換


[0]ホーム

URL:


homepage

Issue23361

This issue trackerhas been migrated toGitHub, and is currentlyread-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title:integer overflow in winapi_createprocess
Type:crashStage:resolved
Components:Versions:Python 3.3, Python 3.4, Python 3.5
process
Status:closedResolution:fixed
Dependencies:Superseder:
Assigned To:Nosy List: Arfrever, pkt, python-dev
Priority:normalKeywords:

Created on2015-02-01 13:51 bypkt, last changed2022-04-11 14:58 byadmin. This issue is nowclosed.

Messages (4)
msg235168 -(view)Author: paul (pkt)Date: 2015-02-01 13:51
winapi_createprocess takes env_mapping dictionary as a parameter, mapping variables to their env. values. Dictionary with pathologically large values will cause an integer overflow during computation of total space required to store all key-value pairsFile: Modules\_winapi.cstatic PyObject*getenvironment(PyObject* environment){    Py_ssize_t i, envsize, totalsize;    ...    envsize = PyMapping_Length(environment);    keys = PyMapping_Keys(environment);    values = PyMapping_Values(environment);    if (!keys || !values)        goto error;    totalsize = 1; /* trailing null character */    for (i = 0; i < envsize; i++) {        PyObject* key = PyList_GET_ITEM(keys, i);        PyObject* value = PyList_GET_ITEM(values, i);        if (! PyUnicode_Check(key) || ! PyUnicode_Check(value)) {            PyErr_SetString(PyExc_TypeError,                "environment can only contain strings");            goto error;        }        totalsize += PyUnicode_GET_LENGTH(key) + 1;    /* +1 for '=' */1       totalsize += PyUnicode_GET_LENGTH(value) + 1;  /* +1 for '\0' */    }2   buffer = PyMem_Malloc(totalsize * sizeof(Py_UCS4));    if (! buffer)        goto error;    p = buffer;3   end = buffer + totalsize;4   for (i = 0; i < envsize; i++) {        PyObject* key = PyList_GET_ITEM(keys, i);        PyObject* value = PyList_GET_ITEM(values, i);X       if (!PyUnicode_AsUCS4(key, p, end - p, 0))            goto error;        p += PyUnicode_GET_LENGTH(key);X       *p++ = '=';X       if (!PyUnicode_AsUCS4(value, p, end - p, 0))            goto error;        p += PyUnicode_GET_LENGTH(value);X       *p++ = '\0';    }1. no overflow checks. We can set totalsize to 2^30, with a crafted dictionary.2. totalsize*4 == 0, so buffer is 0-bytes long3. end = buffer+2^304. envsize == len(env_mapping). We can make this variable as large as we like. X. write past the buffer's end. Note size checks in PyUnicode_AsUCS4 are inefficient, because the size variable (end-p) is very large.
msg235427 -(view)Author: paul (pkt)Date: 2015-02-05 10:41
ping
msg235607 -(view)Author: paul (pkt)Date: 2015-02-09 13:21
ping
msg235657 -(view)Author: Roundup Robot (python-dev)(Python triager)Date: 2015-02-10 02:00
New changesetab2e79c6cf6b by Benjamin Peterson in branch '3.3':add overflow checking (closes#23361)https://hg.python.org/cpython/rev/ab2e79c6cf6bNew changesetb82cc9180a78 by Benjamin Peterson in branch '3.4':merge 3.3 (#23361)https://hg.python.org/cpython/rev/b82cc9180a78New changeset76170e33f251 by Benjamin Peterson in branch 'default':merge 3.4 (#23361)https://hg.python.org/cpython/rev/76170e33f251
History
DateUserActionArgs
2022-04-11 14:58:12adminsetgithub: 67550
2015-02-12 07:55:18Arfreversetversions: + Python 3.3, Python 3.5
2015-02-10 02:00:18python-devsetstatus: open -> closed

nosy: +python-dev
messages: +msg235657

resolution: fixed
stage: resolved
2015-02-09 13:21:25pktsetmessages: +msg235607
2015-02-05 10:41:09pktsetmessages: +msg235427
2015-02-01 21:16:48Arfreversetnosy: +Arfrever
2015-02-01 13:51:43pktcreate
Supported byThe Python Software Foundation,
Powered byRoundup
Copyright © 1990-2022,Python Software Foundation
Legal Statements

[8]ページ先頭

©2009-2026 Movatter.jp