Staging
v0.5.1
v0.5.1
https://github.com/python/cpython
Revision 30e769382dfb67a68fe8e6bfe8509addb4aa9514 authored by Miss Islington (bot) on 04 February 2020, 21:41:55 UTC, committed by GitHub on 04 February 2020, 21:41:55 UTC
When called on a closed object, readinto() segfaults on account
of a write to a freed buffer:
==220553== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==220553== Access not within mapped region at address 0x2A
==220553== at 0x48408A0: memmove (vg_replace_strmem.c:1272)
==220553== by 0x58DB0C: _buffered_readinto_generic (bufferedio.c:972)
==220553== by 0x58DCBA: _io__Buffered_readinto_impl (bufferedio.c:1053)
==220553== by 0x58DCBA: _io__Buffered_readinto (bufferedio.c.h:253)
Reproducer:
reader = open ("/dev/zero", "rb")
_void = reader.read (42)
reader.close ()
reader.readinto (bytearray (42)) GH-GH-GH- BANG!
The problem exists since 2012 when commit dc469454ec added code
to free the read buffer on close().
Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>
(cherry picked from commit cb1c0746f277052e45a60d6c436a765e34722821)
Co-authored-by: Philipp Gesang <phg@phi-gamma.net> 1 parent 9a740b6
Tip revision: 30e769382dfb67a68fe8e6bfe8509addb4aa9514 authored by Miss Islington (bot) on 04 February 2020, 21:41:55 UTC
closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295)
closes bpo-39510: Fix use-after-free in BufferedReader.readinto() (GH-18295)
Tip revision: 30e7693
sre.h
/*
* Secret Labs' Regular Expression Engine
*
* regular expression matching engine
*
* Copyright (c) 1997-2001 by Secret Labs AB. All rights reserved.
*
* See the _sre.c file for information on usage and redistribution.
*/
#ifndef SRE_INCLUDED
#define SRE_INCLUDED
#include "sre_constants.h"
/* size of a code word (must be unsigned short or larger, and
large enough to hold a UCS4 character) */
#define SRE_CODE Py_UCS4
#if SIZEOF_SIZE_T > 4
# define SRE_MAXREPEAT (~(SRE_CODE)0)
# define SRE_MAXGROUPS ((~(SRE_CODE)0) / 2)
#else
# define SRE_MAXREPEAT ((SRE_CODE)PY_SSIZE_T_MAX)
# define SRE_MAXGROUPS ((SRE_CODE)PY_SSIZE_T_MAX / SIZEOF_SIZE_T / 2)
#endif
typedef struct {
PyObject_VAR_HEAD
Py_ssize_t groups; /* must be first! */
PyObject* groupindex; /* dict */
PyObject* indexgroup; /* tuple */
/* compatibility */
PyObject* pattern; /* pattern source (or None) */
int flags; /* flags used when compiling pattern source */
PyObject *weakreflist; /* List of weak references */
int isbytes; /* pattern type (1 - bytes, 0 - string, -1 - None) */
/* pattern code */
Py_ssize_t codesize;
SRE_CODE code[1];
} PatternObject;
#define PatternObject_GetCode(o) (((PatternObject*)(o))->code)
typedef struct {
PyObject_VAR_HEAD
PyObject* string; /* link to the target string (must be first) */
PyObject* regs; /* cached list of matching spans */
PatternObject* pattern; /* link to the regex (pattern) object */
Py_ssize_t pos, endpos; /* current target slice */
Py_ssize_t lastindex; /* last index marker seen by the engine (-1 if none) */
Py_ssize_t groups; /* number of groups (start/end marks) */
Py_ssize_t mark[1];
} MatchObject;
typedef struct SRE_REPEAT_T {
Py_ssize_t count;
SRE_CODE* pattern; /* points to REPEAT operator arguments */
void* last_ptr; /* helper to check for infinite loops */
struct SRE_REPEAT_T *prev; /* points to previous repeat context */
} SRE_REPEAT;
typedef struct {
/* string pointers */
void* ptr; /* current position (also end of current slice) */
void* beginning; /* start of original string */
void* start; /* start of current slice */
void* end; /* end of original string */
/* attributes for the match object */
PyObject* string;
Py_buffer buffer;
Py_ssize_t pos, endpos;
int isbytes;
int charsize; /* character size */
/* registers */
Py_ssize_t lastindex;
Py_ssize_t lastmark;
void** mark;
int match_all;
int must_advance;
/* dynamically allocated stuff */
char* data_stack;
size_t data_stack_size;
size_t data_stack_base;
/* current repeat context */
SRE_REPEAT *repeat;
} SRE_STATE;
typedef struct {
PyObject_HEAD
PyObject* pattern;
SRE_STATE state;
} ScannerObject;
#endif
Computing file changes ...
