[ python-Bugs-871026 ] PyOS_snprintf segfaults on missing native snprintf

SourceForge.net noreply at sourceforge.net
Mon Jan 5 16:12:16 EST 2004 

Bugs item #871026, was opened at 2004-01-05 17:37
Message generated for change (Comment added) made by fog
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=871026&group_id=5470

Category: Python Interpreter Core
Group: Platform-specific
Status: Open
Resolution: None
Priority: 5
Submitted By: Federico Di Gregorio (fog)
Assigned to: Nobody/Anonymous (nobody)
Summary: PyOS_snprintf segfaults on missing native snprintf

Initial Comment:
On architectures missing a native snprintf (checked on
win32 + Borland), PyOS_snprintf may cause a segfault
when passed a string argument (%s) larger than 512 bytes. 

Btw, allocating an extra 512 bytes and hoping for the
best while calling native vsprintf is also a security
risk (due to buffer overruns.)


----------------------------------------------------------------------

>Comment By: Federico Di Gregorio (fog)
Date: 2004-01-05 22:12

Message:
Logged In: YES 
user_id=10245

Yes, it causes a segfault when a module using PyOS_snprintf
passes it a string that is bigger than the buffer length +
512. This happens because first vsprintf is called with a
too small buffer and the stack is corrupted and then (too
late!)  there is the check and the fatal error.
Py_FatalError is called (maybe) but the return address is
gone from the stack and all you get is a segfault at the end
of the function.

I know PyOS_snprintf is internal but it can be used by
extension modules and (anyway) growing a buffer 512 bytes
statically is almost the same as using sprintf (without the
'n') directly.


----------------------------------------------------------------------

Comment By: Tim Peters (tim_one)
Date: 2004-01-05 18:01

Message:
Logged In: YES 
user_id=31435

Does it really cause a segfault?  This code is trying to cause 
Py_FatalError instead in that case:

else if ((size_t)len >= size + 512)
	Py_FatalError("Buffer overflow in 
PyOS_snprintf/PyOS_vsnprintf");

If that part isn't working, that is indeed a bug.

WRT security, PyOS_snprintf is an internal API function -- 
programs written in Python can't invoke it directly.  If a 
(necessarily) internal use of the function triggers this case, 
that's an error in the coding of the internals, but the *intent* 
is that Py_FatalError() get invoked then anyway, which 
immediately kills the Python process (via C abort()).

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=871026&group_id=5470

More information about the Python-bugs-list mailing list