Issue 27666: "stack smashing detected" in PyCursesWindow_Box (original) (raw)
Created on 2016-08-01 23:52 by Steve Fink, last changed 2022-04-11 14:58 by admin. This issue is now closed.
Messages (8)
Author: Steve Fink (Steve Fink)
Date: 2016-08-01 23:52
When attempting to run |hg chistedit|, which uses the python curses module, I am getting *** stack smashing detected ***: /usr/bin/python terminated
The problem is in PyCursesWindow_Box in _cursesmodule.c:
if (!PyArg_ParseTuple(args,"ll;vertint,horint", &ch1, &ch2))
return NULL;ch1 and ch2 are of type 'chtype', which is a 4-byte integer on my platform. (I am on a fresh install of Fedora 24 x86_64.) The format string 'l' is writing 8 bytes. It is hard to fit 8 bytes into a 4 byte variable.
I scanned through the rest of the file. Most places are very careful about this; if needed, they'll parse into a 'long' temporary and then assign. But here's another one in PyCurses_UngetMouse:
MEVENT event;
PyCursesInitialised;
if (!PyArg_ParseTuple(args, "hiiil",
&event.id,
&event.x, &event.y, &event.z,
(int *) &event.bstate))
return NULL;event.bstate is of type mmask_t, which is also 4 bytes.
I did not find any more in that file.
% rpm -q python-libs python-libs-2.7.12-1.fc24.x86_64
Author: Steve Fink (Steve Fink)
Date: 2016-08-20 22:26
I'm running now (successfully) with a simpler patch, just changing it to parse format 'i', but this patch is probably a bit safer.
Author: Serhiy Storchaka (serhiy.storchaka) * 
Date: 2017-11-01 17:01
Thank you for your patch Steve.
It is better to use PyCurses_ConvertToChtype() which is used for parsing all chtype arguments.
Author: Serhiy Storchaka (serhiy.storchaka) *
Date: 2017-11-01 19:23
New changeset aad7ac10af6ed40fc21b842e04be0b04b2915d4a by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6': bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4221) https://github.com/python/cpython/commit/aad7ac10af6ed40fc21b842e04be0b04b2915d4a
Author: Serhiy Storchaka (serhiy.storchaka) *
Date: 2017-11-01 19:24
New changeset b694770a2b23cd485c98bf673a8b2dc1a865d9df by Serhiy Storchaka (Miss Islington (bot)) in branch '2.7': bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4222) https://github.com/python/cpython/commit/b694770a2b23cd485c98bf673a8b2dc1a865d9df
Author: STINNER Victor (vstinner) *
Date: 2017-11-07 01:03
The Python 2.7 backport (commit b694770a2b23cd485c98bf673a8b2dc1a865d9df) is wrong. The _curses module cannot be compiled anymore:
Example of compilation errors:
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c: In function 'PyCursesWindow_Box': /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:39: warning: passing argument 1 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types] if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) { ^~~~ /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'PyObject * {aka struct _object *}' but argument is of type 'PyCursesWindowObject * {aka struct *}' PyCurses_ConvertToChtype(PyObject *obj, chtype *ch) ^~~~~~~~~~~~~~~~~~~~~~~~ /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:45: warning: passing argument 2 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types] if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) { ^~~~~ /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'chtype * {aka unsigned int *}' but argument is of type 'PyObject * {aka struct _object *}' PyCurses_ConvertToChtype(PyObject *obj, chtype *ch) ^~~~~~~~~~~~~~~~~~~~~~~~ /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:14: error: too many arguments to function 'PyCurses_ConvertToChtype' if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) { ^~~~~~~~~~~~~~~~~~~~~~~~ /home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: declared here PyCurses_ConvertToChtype(PyObject *obj, chtype *ch) ^~~~~~~~~~~~~~~~~~~~~~~~
Author: Serhiy Storchaka (serhiy.storchaka) *
Date: 2017-11-07 07:55
New changeset 69ea4b4deb123c9a3c986b7afb85183732784f4f by Serhiy Storchaka in branch '2.7': Fix bpo-27666 backporting error in _cursesmodule.c (#4305) https://github.com/python/cpython/commit/69ea4b4deb123c9a3c986b7afb85183732784f4f
Author: Serhiy Storchaka (serhiy.storchaka) *
Date: 2017-11-07 07:56
Thank you for catching this Victor.
History
Date
User
Action
Args
2022-04-11 14:58:34
admin
set
github: 71853
2017-11-07 07:56:22
serhiy.storchaka
set
messages: +
2017-11-07 07:55:40
serhiy.storchaka
set
status: open -> closed
resolution: fixed
messages: +
stage: patch review -> resolved
2017-11-07 07:09:06
serhiy.storchaka
set
stage: resolved -> patch review
pull_requests: + <pull%5Frequest4268>
2017-11-07 01:03:45
vstinner
set
status: closed -> open
nosy: + vstinner
messages: +
resolution: fixed -> (no value)
2017-11-01 19:26:21
serhiy.storchaka
set
status: open -> closed
resolution: fixed
stage: patch review -> resolved
2017-11-01 19:24:02
serhiy.storchaka
set
messages: +
2017-11-01 19:24:02
python-dev
set
pull_requests: + <pull%5Frequest4190>
2017-11-01 19:23:52
serhiy.storchaka
set
messages: +
2017-11-01 18:49:58
python-dev
set
pull_requests: + <pull%5Frequest4189>
2017-11-01 17:02:05
serhiy.storchaka
set
assignee: serhiy.storchaka
versions: + Python 3.6, Python 3.7
2017-11-01 17:01:54
serhiy.storchaka
set
messages: +
2017-11-01 16:54:43
serhiy.storchaka
set
stage: needs patch -> patch review
pull_requests: + <pull%5Frequest4188>
2016-08-20 22:26:22
Steve Fink
set
files: + python-2.7.12-curses-argparse.patch
keywords: + patch
messages: +
2016-08-02 13:27:45
serhiy.storchaka
set
nosy: + serhiy.storchaka
stage: needs patch
2016-08-02 08:41:24
SilentGhost
set
nosy: + twouters
components: + Extension Modules, - Library (Lib)
2016-08-01 23:52:30
Steve Fink
create