This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
Created on 2008年04月08日 15:41 by jnferguson, last changed 2022年04月11日 14:56 by admin. This issue is now closed.
| Files | ||||
|---|---|---|---|---|
| File name | Uploaded | Description | Edit | |
| python-2.5.2-zlib-unflush-misallocation.py | jnferguson, 2008年04月08日 15:41 | |||
| python-2.5.2-zlib-unflush-signedness.py | jnferguson, 2008年04月08日 15:42 | |||
| Messages (7) | |||
|---|---|---|---|
| msg65171 - (view) | Author: Justin Ferguson (jnferguson) | Date: 2008年04月08日 15:41 | |
The zlib module in multiple places fails to adequately check the sanity of its arguments resulting in memory corruption, please see two attached PoCs. |
|||
| msg65176 - (view) | Author: Raymond Hettinger (rhettinger) * (Python committer) | Date: 2008年04月08日 16:04 | |
Verified that the script crashes Python. |
|||
| msg65191 - (view) | Author: Justin Ferguson (jnferguson) | Date: 2008年04月08日 16:49 | |
Just so you know, the scripts actually do two different things-- the bugs are both related to negative values though. One causes PyString_FromStringAndSize() to try an allocate zero bytes (the -24 one), the other causes like 22 bytes to get allocated and then takes advantage of the sign-conversion when the value is assigned to the zlib structure member (the member is unsigned, the value is signed) Honestly, you guys should consider enforcing the safe downcast usage because signedness issues are all over your code base (as I'm sure you know) |
|||
| msg65229 - (view) | Author: Alexander Belopolsky (belopolsky) * (Python committer) | Date: 2008年04月09日 01:57 | |
This has just been fixed in the trunk: r62235. |
|||
| msg65230 - (view) | Author: Raymond Hettinger (rhettinger) * (Python committer) | Date: 2008年04月09日 02:20 | |
Thx |
|||
| msg65302 - (view) | Author: David Remahl (chmod007) | Date: 2008年04月10日 17:17 | |
I submit that a check for negative values (non-assert-based) should be added to PyString_FromStringAndSize(). This API is called from many, many places, and in several cases the operand could probably be negative. It should raise an overflow exception for a negative value. |
|||
| msg65303 - (view) | Author: Alexander Belopolsky (belopolsky) * (Python committer) | Date: 2008年04月10日 17:34 | |
On Thu, Apr 10, 2008 at 1:17 PM, David Remahl <report@bugs.python.org> wrote: > I submit that a check for negative values (non-assert-based) should be > added to PyString_FromStringAndSize(). See issue2587 and r62262. |
|||
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2022年04月11日 14:56:33 | admin | set | github: 46838 |
| 2008年04月10日 17:34:48 | belopolsky | set | messages: + msg65303 |
| 2008年04月10日 17:17:29 | chmod007 | set | nosy:
+ chmod007 messages: + msg65302 |
| 2008年04月09日 02:20:17 | rhettinger | set | status: open -> closed resolution: fixed messages: + msg65230 |
| 2008年04月09日 01:57:09 | belopolsky | set | nosy:
+ belopolsky messages: + msg65229 |
| 2008年04月08日 16:49:18 | jnferguson | set | messages: + msg65191 |
| 2008年04月08日 16:04:15 | rhettinger | set | priority: critical nosy: + rhettinger messages: + msg65176 |
| 2008年04月08日 15:42:05 | jnferguson | set | files: + python-2.5.2-zlib-unflush-signedness.py |
| 2008年04月08日 15:41:40 | jnferguson | create | |