This issue tracker has been migrated to GitHub ,
and is currently read-only.
For more information,
see the GitHub FAQs in the Python's Developer Guide.
| Author | dev_zzo |
|---|---|
| Recipients | JohnLeitch, dev_zzo, serhiy.storchaka |
| Date | 2015年06月18日.08:22:30 |
| SpamBayes Score | -1.0 |
| Marked as misclassified | Yes |
| Message-id | <1434615751.61.0.720201349881.issue24462@psf.upfronthosting.co.za> |
| In-reply-to |
| Content | |
|---|---|
Quick analysis tells this can be attributed to the following code (in 2.7): https://hg.python.org/cpython/file/a8e24d776e99/Objects/stringlib/fastsearch.h#l110 https://hg.python.org/cpython/file/a8e24d776e99/Objects/stringlib/fastsearch.h#l116 Suppose i = 0, then s[i+m] causes OOB access when m=n. Note only one iteration is possible in case of m=n due to loop condition of i <= (w = n-m = 0). Theoretically, one can try disclosing one adjacent byte, but more likely results are nothing (or potentially invalid match result) or a potential crash in an unlucky case of s[m] hitting an unmapped page. The same code lives in 3.2 (and likely any prior 3.x release), and 3.3 seems to be affected as well. 3.4 code has a modified version, but has the same problem (ss = s + m - 1; if (!STRINGLIB_BLOOM(mask, ss[i+1])) ...). |
|
| History | |||
|---|---|---|---|
| Date | User | Action | Args |
| 2015年06月18日 08:22:31 | dev_zzo | set | recipients: + dev_zzo, serhiy.storchaka, JohnLeitch |
| 2015年06月18日 08:22:31 | dev_zzo | set | messageid: <1434615751.61.0.720201349881.issue24462@psf.upfronthosting.co.za> |
| 2015年06月18日 08:22:31 | dev_zzo | link | issue24462 messages |
| 2015年06月18日 08:22:30 | dev_zzo | create | |