New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parser API not checking for null-terminator #90860
Comments
In tokenizer.c, the translate_newlines() function does a static char *
translate_newlines(const char *s, int exec_input, struct tok_state *tok) {
int skip_next_lf = 0;
size_t needed_length = strlen(s) + 2, final_length; This leads to a heap-buffer-overflow detected by ASAN in a simple reproducible example, calling PyRun_StringFlags() from the LLVM fuzzer: fuzz_target(47084,0x11356f600) malloc: nano zone abandoned due to inability to preallocate reserved vm space. 0x602000003131 is located 0 bytes to the right of 1-byte region [0x602000003130,0x602000003131) SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x15554) in wrap_strlen+0x184 artifact_prefix='./'; Test unit written to ./crash-da39a3ee5e6b4b0d3255bfef95601890afd80709 |
Could you please provide an example input to reproduce this? |
The contract of that interface is to receive null-terminated strings, so I am a bit clueless on how this could receive a non-null terminated string. Notice that calling PyRun_StringFlags with a non-null terminated string is out of contract. |
Closing as not a bug. Please, feel free to reopen if we missed something. Thanks for the report! |
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: