[issue27254] heap overflow in Tkinter module

2016-06-07 Thread Emin Ghuliev
New submission from Emin Ghuliev: /* This is used to get the application class for Tk 4.1 and up */ argv0 = (char*)attemptckalloc(strlen(className) + 1); //<=== classname allocated if (!argv0) { PyErr_NoMemory(); Py_DECREF(v); return NULL; } strcpy(ar

[issue27254] heap overflow in Tkinter module

2016-06-07 Thread Emin Ghuliev
Emin Ghuliev added the comment: Yeah you're right but Python doesn't check the classname length. Therefore then heap overflow occurred in the Tcl. -- ___ Python tracker <http://bugs.python.o

[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Emin Ghuliev
Emin Ghuliev added the comment: the appropriate size should be chosen I) -- ___ Python tracker <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailin

[issue27254] heap overflow in Tkinter module

2016-06-08 Thread Emin Ghuliev
Emin Ghuliev added the comment: psuedocode <+16>: movsxd rdx,DWORD PTR [rbx+0x8] <+20>: leaeax,[rdx+rbp*1] newSize = length ($rdx) + dsPtr->length ($rbp) gdb > print /x $rbp $5 = 0xf gdb > print /x $rdx $6 = 0x10 newsize = 0xf+0x10 = 0x1f cmp

[issue27254] UAF in Tkinter module

2016-06-12 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- title: heap overflow in Tkinter module -> UAF in Tkinter module ___ Python tracker <http://bugs.python.org/issue27254> ___ ___ Py

[issue27254] UAF in Tkinter module

2016-07-04 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- resolution: -> third party ___ Python tracker <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscrib

[issue27254] UAF in Tkinter module

2016-07-04 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- status: open -> closed ___ Python tracker <http://bugs.python.org/issue27254> ___ ___ Python-bugs-list mailing list Unsubscrib

[issue27462] NULL Pointer deref in binary_iop1 function

2016-07-07 Thread Emin Ghuliev
New submission from Emin Ghuliev: Python VM parses "0x3b" opcode (INPLACE_MODULO) in the bytecode file. Subsequently VM parses left and right arguments of the opcode (0x3b). If left and right arguments doesn't exists in the bytecode file that causes a segmentation fault. Whi

[issue27462] NULL Pointer deref in binary_iop1 function

2016-07-07 Thread Emin Ghuliev
Emin Ghuliev added the comment: Nope, invalid bytecode file generated by fuzzer for the purpose of bug researching. Just python doesn't determine whether a variable is empty or valid. -- ___ Python tracker <http://bugs.python.org/is

[issue27462] NULL Pointer deref in binary_iop1 function

2016-07-07 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- resolution: not a bug -> wont fix status: pending -> closed ___ Python tracker <http://bugs.python.org/issue27462> ___ ___ Pyth

[issue26595] Segfault on Pointer operation

2016-03-20 Thread Emin Ghuliev
New submission from Emin Ghuliev: I'm trying use a pointer on python script but when executing the following code getting error. (Segmentation fault) dmr@debian:~$ python test.py Segmentation fault self.mem = c_char_p(mem) pointer(self.binning())[0] = 0x41414141 o

[issue26595] Segfault on Pointer operation

2016-03-20 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- components: +ctypes type: -> crash versions: +Python 2.7 ___ Python tracker <http://bugs.python.org/issue26595> ___ ___ Python-

[issue26595] Segfault on Pointer operation

2016-03-20 Thread Emin Ghuliev
Changes by Emin Ghuliev : -- status: open -> closed ___ Python tracker <http://bugs.python.org/issue26595> ___ ___ Python-bugs-list mailing list Unsubscrib