[Python-Dev] Fuzzing bugs: most bugs are closed (original) (raw)

Victor Stinner victor.stinner at haypocalc.com
Sat Jul 19 13:23:12 CEST 2008

• Previous message: [Python-Dev] Progress on switching Windows build to Berkeley DB 4.7.25...
• Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I filled 14 issues about bugs found by fuzzing (see my other email "Play with fuzzing" for more informations). Most bugs are now closed, cool :-) Last bugs:

== Trivial open bugs ==

segfault on locale.gettext(None)

• http://bugs.python.org/issue3302
• attached patch is trivial: fix the PyArg_ParseTuple() to block None value, and reject empty domain string for bindtextdomain() (to avoid strange error "OSError(0): success")

invalid ref count on locale.strcoll() error

• http://bugs.python.org/issue3303
• attached patch is trivial: add "if (rel1)"

_multiprocessing.Connection() doesn't check handle

• http://bugs.python.org/issue3321
• _multiprocessing.Connection(fd) doesn't check that fd is a valid file handle and so may crash on poll (the "evil" FD_SET() call)
• my patch add "|| fstat(handle, &statbuf)" to make sure that the file descriptor is valid

== Complex open bugs ==

block operation on closed socket/pipe for multiprocessing

• http://bugs.python.org/issue3311
• close() method sets the file handle to -1 but most methods don't check the handle and so may fail or crash. Especially poll() calls FD_SET((SOCKET)conn->handle, &rfds); with handle=-1 => crash.
• my patch creates a new MP error: "return MP_CLOSED_FILE;", used if handle is INVALID_HANDLE_VALUE to block operations (send, receive, poll) on closed files for socket and pipe.

bugs in scanstring_str() and scanstring_unicode() of _json module

• http://bugs.python.org/issue3322
• scanstring() function crashs if second argument is a big negative integer. There is no attached patch because I don't understand this function enough to fix it correctly, but I suggest to raise a ValueError if end is too small/big

invalid object destruction in re.finditer()

• or "PyObject_DEL inconsistency if pydebug option is used"
• http://bugs.python.org/issue3299
• It's the most complex bug, I prefer to write a new email :-)

== Need backport / port to python 3.0 ==

invalid call to PyMem_Free() in fileio_init()

• http://bugs.python.org/issue3304
• patch applied in Python 2.6 (trunk) but not in Python 3000: "i'm assuming that'll be merged into py3k automagically." wrote Gregory P. Smith

missing lock release in BZ2File_iternext()

• http://bugs.python.org/issue3309
• patch applied in Python 2.6 but "Needs backporting to release25-maint." wrote Gregory P. Smith

When all bugs will be closed, I will restart a fuzzing Python ;-) But I also tried with my patches and I was unable to find new bugs, great!

Victor

• Previous message: [Python-Dev] Progress on switching Windows build to Berkeley DB 4.7.25...
• Next message: [Python-Dev] Fuzzing bugs: most bugs are closed
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Python-Dev mailing list