Bugs item #883495, was opened at 2004-01-24 07:15 Message generated for change (Comment added) made by gbrandl You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=883495&group_id=5470
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Extension Modules Group: Python 2.3 >Status: Closed Resolution: Works For Me Priority: 7 Submitted By: Matthias Klose (doko) Assigned to: Fred L. Drake, Jr. (fdrake) Summary: python crash in pyexpat's XmlInitUnknownEncodingNS Initial Comment: [forwarded from http://bugs.debian.org/229281] seen with 2.3.3, works with 2.2.3 and 2.1.3 (after fixing the 2.1 incompatibilities). The pyexpat code used is the one direct from the distribution, no external library. The attached testcase demonstrates a bug in, apparently, /usr/lib/python2.3/lib-dynload/pyexpat.so. Here's the bug in gdb: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 28350)] 0x40566800 in XmlInitUnknownEncodingNS () from /usr/lib/python2.3/lib-dynload/pyexpat.so To try it youself, run "make" in the testcase directory. I apoligise for the size of this testcase; I would have whitteled it down to something simpler, but I am not a python programmer. I also apoligise if the bug is really in some library that python uses; I only went back as far as pyexpat.so. Some developers on IRC feel this may be exploitable. Talk with Scott James Remnant <[EMAIL PROTECTED]>, who also has some idea of the encoding problems in the rss file that are causing the crash. ---------------------------------------------------------------------- >Comment By: Georg Brandl (gbrandl) Date: 2006-07-29 10:51 Message: Logged In: YES user_id=849994 Doesn't occur in 2.3.5, 2.4 head and SVN head. The patch doesn't apply to expat 2.0 anymore. => Closing. ---------------------------------------------------------------------- Comment By: Neal Norwitz (nnorwitz) Date: 2005-09-30 05:14 Message: Logged In: YES user_id=33168 Martin, this seems to work in Python 2.3.4, 2.4.2 and CVS. Has it been fixed and can it be closed? ---------------------------------------------------------------------- Comment By: Martin v. Löwis (loewis) Date: 2004-04-20 19:44 Message: Logged In: YES user_id=21627 The parser crashes because it invokes GetBuffer inside Parser, when Python is providing the next chunk of input, which reallocs the buffer to a different location. However, eventPtr is not updated inside GetBuffer (and neither is positionPtr). As a result, the next access to eventPtr (in XML_GetCurrentLineNumber, invoked from set_error), will cause a segfault. It is not clear to me why these pointers are not adjusted when the buffer is reallocated. However, a consistent fix appears to be to update the eventPtr close to the place where positionPtr is initialized, which is done in the attached patch exp.diff, which fixes this test case. Fred, can you please review this patch? ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=105470&aid=883495&group_id=5470 _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
