Issue 4317: Buffer overflow in imageop module (original) (raw)

Created on 2008-11-13 22:57 by amaury.forgeotdarc, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (6)
msg75840 - (view)	Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) *	Date: 2008-11-13 22:57
The interpreter sometimes segfaults when running the test suite, in test_imageop. A more reliable crasher is: >>> import imageop >>> s = "A" * 32000 >>> imageop.rgb2rgb8(s, 1, len(s)) The failure was recently introduced by r66689, a "security fix" :-( and backported today in 2.4! This is a 2.4 release blocker. Patch is attached, please review.
msg75841 - (view)	Author: STINNER Victor (vstinner) *	Date: 2008-11-13 22:59
Ooops. That's why I asked for one or more reviewers :-)
msg75842 - (view)	Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) *	Date: 2008-11-13 23:01
Of course I uploaded the wrong patch. Trying again.
msg75988 - (view)	Author: Benjamin Peterson (benjamin.peterson) *	Date: 2008-11-17 22:41
Looks good.
msg76000 - (view)	Author: STINNER Victor (vstinner) *	Date: 2008-11-18 05:48
When I wrote my patch to fix division by zero (and detection of -n * -n overflow), I also wrote a script to test imageop module. I fixed the limit of the input string to 1024 bytes, and so the rgb crash was not detected. Here is my script with a limit of 2^20 bytes which raise the crash. With the patch, there are no more crash ;-)
msg76027 - (view)	Author: Amaury Forgeot d'Arc (amaury.forgeotdarc) *	Date: 2008-11-18 22:56
Fixed in revisions r67266, 67267, r67268, r67270: (trunk, 2.6, 2.5, 2.4)