In CMS_Conservative_init, w is received from Python code.
Its size is not validated hence "self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));" may fail , which cause the Null pointer.
self->table[i] would be accessed in CMS_Conservative_increment_obj, which make the Python crash down.
Steps/Code/Corpus to Reproduce
static int
CMS_VARIANT(_init)(CMS_TYPE *self, PyObject *args, PyObject *kwds)
{
.........................
for (i = 0; i < self->depth; i++)
{
self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));
printf ("[%d]self->table[%d] = %p \r\n", i, i, self->table[i]);
}
...........................
when w is set as an arbitrary number, Python can not crash down.
Actual Results
crash
Versions
the main branch
The text was updated successfully, but these errors were encountered:
Daybreak2019
changed the title
Potential buffer-overflow in HyperLogLog_add of hill.c
Potential Null pointer access in CMS_Conservative_increment_obj
Sep 16, 2021
Description
In CMS_Conservative_init, w is received from Python code.
Its size is not validated hence "self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));" may fail , which cause the Null pointer.
self->table[i] would be accessed in CMS_Conservative_increment_obj, which make the Python crash down.
Steps/Code/Corpus to Reproduce
Optional call-path: increment -> CMS_Log1024_increment -> CMS_Conservative_increment_obj
Expected Results
when w is set as an arbitrary number, Python can not crash down.
Actual Results
crash
Versions
the main branch
The text was updated successfully, but these errors were encountered: