python crash in pyexpat's XmlInitUnknownEncodingNS

[doko42]

BPO	883495
Nosy	@loewis, @freddrake, @birkenfeld, @doko42
Files	testcase.tgz: testcase exp.diff

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = 'https://github.com/freddrake'
closed_at = <Date 2006-07-29.10:51:26.000>
created_at = <Date 2004-01-24.07:15:11.000>
labels = ['extension-modules']
title = "python crash in pyexpat's XmlInitUnknownEncodingNS"
updated_at = <Date 2006-07-29.10:51:26.000>
user = 'https://github.com/doko42'

bugs.python.org fields:

activity = <Date 2006-07-29.10:51:26.000>
actor = 'georg.brandl'
assignee = 'fdrake'
closed = True
closed_date = None
closer = None
components = ['Extension Modules']
creation = <Date 2004-01-24.07:15:11.000>
creator = 'doko'
dependencies = []
files = ['1180', '1181']
hgrepos = []
issue_num = 883495
keywords = []
message_count = 4.0
messages = ['19801', '19802', '19803', '19804']
nosy_count = 5.0
nosy_names = ['loewis', 'fdrake', 'nnorwitz', 'georg.brandl', 'doko']
pr_nums = []
priority = 'high'
resolution = 'works for me'
stage = None
status = 'closed'
superseder = None
type = None
url = 'https://bugs.python.org/issue883495'
versions = ['Python 2.3']

[doko42]

[forwarded from http://bugs.debian.org/229281]

seen with 2.3.3, works with 2.2.3 and 2.1.3 (after
fixing the 2.1 incompatibilities). The pyexpat code
used is the one direct from the distribution, no
external library.

The attached testcase demonstrates a bug in,
apparently, /usr/lib/python2.3/lib-dynload/pyexpat.so.
Here's the bug in gdb:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 28350)]
0x40566800 in XmlInitUnknownEncodingNS ()
from /usr/lib/python2.3/lib-dynload/pyexpat.so

To try it youself, run "make" in the testcase
directory. I apoligise for the size of this testcase; I
would have whitteled it down to something simpler, but
I am not a python programmer. I also apoligise if the
bug is really in some library that python uses; I only
went back as far as pyexpat.so.

Some developers on IRC feel this may be exploitable.
Talk with Scott James Remnant <scott@netsplit.com>, who
also has some idea of the encoding problems in the rss
file that are causing the crash.

[loewis]

Logged In: YES
user_id=21627

The parser crashes because it invokes GetBuffer inside
Parser, when Python is providing the next chunk of input,
which reallocs the buffer to a different location. However,
eventPtr is not updated inside GetBuffer (and neither is
positionPtr). As a result, the next access to eventPtr (in
XML_GetCurrentLineNumber, invoked from set_error), will
cause a segfault.

It is not clear to me why these pointers are not adjusted
when the buffer is reallocated. However, a consistent fix
appears to be to update the eventPtr close to the place
where positionPtr is initialized, which is done in the
attached patch exp.diff, which fixes this test case.

Fred, can you please review this patch?

[nnorwitz]

Logged In: YES
user_id=33168

Martin, this seems to work in Python 2.3.4, 2.4.2 and CVS.
Has it been fixed and can it be closed?

[birkenfeld]

Logged In: YES
user_id=849994

Doesn't occur in 2.3.5, 2.4 head and SVN head. The patch
doesn't apply to expat 2.0 anymore. => Closing.