gh-140594: Fix buffer overflow when feeding NULL bytes to PyOS_StdioReadline
#140910
Conversation
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase And if you don't make the requested changes, you will be poked with soft cushions! |
picnixz
changed the title
PyOS_StdioReadline
|
FTR, a buffer underflow is something entirely different. |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @picnixz: please review the changes made to this pull request. |
Misc/NEWS.d/next/Security/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst
Outdated
Show resolved
Hide resolved
|
A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated. Once you have made the requested changes, please leave a comment on this pull request containing the phrase |
|
I have made the requested changes; please review again |
picnixz
left a comment
picnixz
left a comment
There was a problem hiding this comment.
Using Popen seems an overkill.
Misc/NEWS.d/next/Security/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst
Outdated
Show resolved
Hide resolved
|
Thanks for making the requested changes! @picnixz: please review the changes made to this pull request. |
|
I have made the requested changes; please review again |
|
Thanks for making the requested changes! @picnixz: please review the changes made to this pull request. |
|
By the way, have you tried to reproduce the issue without JIT and with the GIL as I suggested? I didn't check myself so I wondered whether you did so or not and whether you were able to reproduce the bug on main. |
|
It reproduces ONLY when built with ASAN; in all other build variants, there’s no error. I tried many different combinations: |
|
It seems that NEWS entry here is located at Security section. |
Misc/NEWS.d/next/Core_and_Builtins/2025-11-02-16-23-17.gh-issue-140594.YIWUpl.rst
Show resolved
Hide resolved
| @@ -0,0 +1,2 @@ | |||
| Fix a buffer overflow when a single NULL character is read from the standard input. | |||
There was a problem hiding this comment.
It's not a buffer overflow, "just" a read out of bounds.
| Fix a buffer overflow when a single NULL character is read from the standard input. | |
| Fix an out of bounds read when a single NUL character is read from the standard input. |
| } | ||
| n += strlen(p + n); | ||
| } while (p[n-1] != '\n'); | ||
| } while (n == 0 || p[n-1] != '\n'); |
There was a problem hiding this comment.
I would prefer to stop the loop if n==0.
| } while (n == 0 || p[n-1] != '\n'); | |
| } while (n != 0 && p[n-1] != '\n'); |
There was a problem hiding this comment.
Then input like b'\x00spam\nham\nspam\n' will stop early. Is this intended?
There was a problem hiding this comment.
I'm not sure which behavior is the correct behavior honestly.
I suppose that you should call readline again to read spam\n.
There was a problem hiding this comment.
It sounds worth it to add a test at least.
There was a problem hiding this comment.
Then behavior will be different if string starts with NUL byte or has it in the middle. I think we should document this difference.
There was a problem hiding this comment.
We already have this conversation here: #140910 (comment).
Current fix seems to be slightly better for me.
5 participants
Uh oh!
There was an error while loading. Please reload this page.