[issue23055] PyUnicode_FromFormatV crasher

Changes by Arfrever Frehtes Taifersar Arahesis : -- nosy: +Arfrever ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscri

[issue23055] PyUnicode_FromFormatV crasher

Changes by Serhiy Storchaka : -- status: open -> closed ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue23055] PyUnicode_FromFormatV crasher

Roundup Robot added the comment: New changeset 245c9f372a34 by Serhiy Storchaka in branch '2.7': Issue #23055: Fixed read-past-the-end error in PyUnicode_FromFormatV. https://hg.python.org/cpython/rev/245c9f372a34 New changeset 9fe1d861f486 by Serhiy Storchaka in branch '3.2': Issue #23055: Fixe

[issue23055] PyUnicode_FromFormatV crasher

Stefan Krah added the comment: issue23055_2.patch looks good. -- ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: Yes, I think following patch will help. -- Added file: http://bugs.python.org/file37929/issue23055_2.patch ___ Python tracker ___

[issue23055] PyUnicode_FromFormatV crasher

Stefan Krah added the comment: I think I still get a problem in 2.7: [1/1] test_unicode ==23430== Invalid read of size 1 ==23430==at 0x484541: PyUnicodeUCS2_FromFormatV (unicodeobject.c:736) ==23430==by 0x485C75: PyUnicodeUCS2_FromFormat (unicodeobject.c:1083) 736 for (f = form

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: Thank you Stefan for pointing on tests failure. -- ___ Python tracker ___ ___ Python-bugs-list mai

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: Backported tests exposed off-by-one error in PyUnicode_FromFormatV. This error was fixed in 3.x in changeset ac768c8e13ac (issue7228). -- ___ Python tracker

[issue23055] PyUnicode_FromFormatV crasher

Roundup Robot added the comment: New changeset e5d79e6deeb5 by Serhiy Storchaka in branch '2.7': Issue #23055: Fixed off-by-one error in PyUnicode_FromFormatV. https://hg.python.org/cpython/rev/e5d79e6deeb5 -- ___ Python tracker

[issue23055] PyUnicode_FromFormatV crasher

Changes by Serhiy Storchaka : -- status: closed -> open ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: https:/

[issue23055] PyUnicode_FromFormatV crasher

Stefan Krah added the comment: I think in 2.7 there's a slight problem since e6b9e277fbf4: [1/1] test_unicode Debug memory block at address p=0x7f4ebba3fae0: API 'o' 100 bytes originally requested The 7 pad bytes at p-7 are FORBIDDENBYTE, as expected. The 8 pad bytes at tail=0x7f4ebb

[issue23055] PyUnicode_FromFormatV crasher

Changes by Serhiy Storchaka : -- resolution: -> fixed stage: patch review -> resolved status: open -> closed ___ Python tracker ___ _

[issue23055] PyUnicode_FromFormatV crasher

Roundup Robot added the comment: New changeset e6b9e277fbf4 by Serhiy Storchaka in branch '2.7': Issue #23055: Fixed a buffer overflow in PyUnicode_FromFormatV. Analysis https://hg.python.org/cpython/rev/e6b9e277fbf4 New changeset f849f937f78c by Serhiy Storchaka in branch '3.2': Issue #23055:

[issue23055] PyUnicode_FromFormatV crasher

Georg Brandl added the comment: It's fine to commit it to both branches. -- ___ Python tracker ___ ___ Python-bugs-list mailing list U

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: Georg, what is your word as release manager of 3.2/3.3? I would commit the patch in 2.7 if there are no objections. -- ___ Python tracker ___

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: Here is updated patch for 2.7 (backported tests from 3.5), patches for 3.2 and 3.3. -- Added file: http://bugs.python.org/file37466/issue23055-2.7-2.patch Added file: http://bugs.python.org/file37467/issue23055-3.2.patch Added file: http://bugs.python

[issue23055] PyUnicode_FromFormatV crasher

Guido van Rossum added the comment: I'd be much worried about attack scenarios if this function was part of the standard library. But it's not -- the stdlib's % operator uses completely different code. The most common use case is probably to generate error messages from extension modules -- an

[issue23055] PyUnicode_FromFormatV crasher

Guido Vranken added the comment: I'd also like to add that, although I agree with Guido van Rossum that the likelihood of even triggering this bug in a general programming context is low, there are two buffer overflows at play here (one stack-based and one heap-based), and given an adversary's

[issue23055] PyUnicode_FromFormatV crasher

Guido Vranken added the comment: Serhiy Storchaka: good call on changing my 'n += (width + precision) < 20 ? 20 : (width + precision);' into 'if (width < precision) width = precision;', I didn't realize that sprintf's space requirement entails using the largest of the two instead of adding the

[issue23055] PyUnicode_FromFormatV crasher

Guido van Rossum added the comment: Thank you for digging into this! I'd say go ahead and update 3.2 and 3.3 too -- these are in security-fix-only mode meaning that we only fix security issues and don't do actual releases. But we still do security bugfixes: for 3.2 until February 2016 (PEP 392

[issue23055] PyUnicode_FromFormatV crasher

Serhiy Storchaka added the comment: I have added a couple of comments. Here is a patch which fixes found bugs. 3.4+ is not affected by this bug. 3.2 looks same as 2.7 and is affected, 3.3 uses different code but at first glance looks affected too. Is it worth to fix this bug in 3.2 and 3.3? -

[issue23055] PyUnicode_FromFormatV crasher

New submission from Guido van Rossum: Fix as reported by Guido Vranken on secur...@python.org, with minimal test by me. Needs: - review - port to 3.2--3.5 Questions: - Does my test case cover all changed code? -- assignee: gvanrossum files: vranken.diff keywords: needs review, patch