[issue2590] S_unpack_from() Read Access Violation

Amaury Forgeot d'Arc added the comment: All expressions are of type Py_ssize_t, which is signed. buffer_len is positive; the subtraction (buffer_len - offset) can overflow only if offset is a (large) negative number, but then the first part of the test is already fulfilled. Closing unless mor

[issue2590] S_unpack_from() Read Access Violation

Guido van Rossum <[EMAIL PROTECTED]> added the comment: Ping? Patch? -- nosy: +gvanrossum ___ Python tracker <[EMAIL PROTECTED]> ___ ___

[issue2590] S_unpack_from() Read Access Violation

Justin Ferguson <[EMAIL PROTECTED]> added the comment: What I was originally thinking was if offset was larger than buf_len, that would cause the check at 1561 to fail due to the subtraction. That said, I'm not sure what type its being compared against so I need to check this further, let me get

[issue2590] S_unpack_from() Read Access Violation

Amaury Forgeot d'Arc <[EMAIL PROTECTED]> added the comment: What do you mean by "obscene" values? Do you have an example of actual values where the check at line 1561 does not do the right thing? -- just trying to understand where the problem is. -- nosy: +amaury.forgeotdarc __

[issue2590] S_unpack_from() Read Access Violation

New submission from Justin Ferguson <[EMAIL PROTECTED]>: The S_unpack_from() function in Modules/_struct.c does not adequately validate its arguments, potentially causing an out-of-bounds read access. It should be noted that the check at line 1561 is inadequate for obscene values of offset. Final