[issue24917] time_strftime() Buffer Over-read

eryksun report at bugs.python.org
Sat Sep 5 13:41:17 CEST 2015 

eryksun added the comment:

> On Windows, the C lib strftime() segfaults with a trailing '%', 
> just as it does with unsupported format codes.

No, it doesn't segfault; it invokes the invalid parameter handler (IPH). This could always be configured for the whole process, but with VC 14 it can also be configured per thread. I think it was Steve Dower who updated time_strftime to take advantage of this feature in 3.5, using the new macros _Py_BEGIN_SUPPRESS_IPH and _Py_END_SUPPRESS_IPH. This allowed removing the following check that used to be in the code prior to 3.5:

        if (outbuf[1]=='\0' ||
            !strchr("aAbBcdHIjmMpSUwWxXyYzZ%", outbuf[1]))
        {
            PyErr_SetString(PyExc_ValueError, "Invalid format string");
            Py_DECREF(format);
            return NULL;
        }

With this change the time module no longer has to make assumptions about what the CRT considers to be a valid format string in order to avoid invoking the IPH. However, this also accidentally removed checking whether outbuf[1]=='\0'. Now, instead of calling the default IPH that terminates the process, Python's _silent_invalid_parameter_handler gets called, which of course does nothing by design:

    >>> import time
    >>> time.strftime('A%')
    Breakpoint 0 hit
    python35!_silent_invalid_parameter_handler:
    00000000`5eadae50 c20000          ret     0
    0:000> k8
    Child-SP          RetAddr           Call Site
    00000000`002af018 000007fe`e9d8d2ab python35!_silent_invalid_parameter_handler
    00000000`002af020 000007fe`e9d8d2c9 ucrtbase!invalid_parameter+0x103
    00000000`002af060 000007fe`e9dafedc ucrtbase!invalid_parameter_noinfo+0x9
    00000000`002af0a0 000007fe`e9dac359 ucrtbase!Wcsftime_l+0x168
    00000000`002af140 000007fe`e9dac3f5 ucrtbase!Strftime_l+0x155
    00000000`002af1d0 00000000`5e9fc785 ucrtbase!strftime+0x15
    00000000`002af210 00000000`5ea7d5c2 python35!time_strftime+0x1f5
    00000000`002af2b0 00000000`5eaf8fd0 python35!PyCFunction_Call+0x122

----------
nosy: +eryksun

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue24917>
_______________________________________

More information about the Python-bugs-list mailing list