Bug report
Bug description:
Bug report
Bug summary
While reviewing the Buffer API implementation in Objects/abstract.c, I noticed two potential integer overflow vulnerabilities explicitly marked with XXX comments by developers.
These overflows occur in PyObject_CopyData when dealing with multi-dimensional buffers. If a buffer with artificially large dimensions or shape is provided, it can cause integer wrapping, leading to undersized memory allocations or incorrect element counts.
Code snippets
- Heap Buffer Overflow risk around line 721 in
Objects/abstract.c:
/* XXX(nnorwitz): need to check for overflow! */
indices = (Py_ssize_t *)PyMem_Malloc(sizeof(Py_ssize_t)*view_src.ndim);
If view_src.ndim is large enough, sizeof(Py_ssize_t) * view_src.ndim will overflow, resulting in a tiny allocation. The subsequent initialization loop will write out of bounds.
- Incorrect element count risk around line 734 in
Objects/abstract.c:
elements = 1;
for (k=0; k<view_src.ndim; k++) {
/* XXX(nnorwitz): can this overflow? */
elements *= view_src.shape[k];
}
If the dimensions in view_src.shape are large, multiplying them together can easily overflow the elements variable (a signed Py_ssize_t), resulting in a negative or truncated value, causing the subsequent while (elements--) loop to behave incorrectly.
Proposed Solution
Use standard overflow checking functions before performing the multiplications. For the allocation, consider using PyMem_New or PyMem_Malloc alongside an overflow check against PY_SSIZE_T_MAX.
CPython versions tested on:
Currently present on the main branch.
CPython versions tested on:
CPython main branch
Operating systems tested on:
Windows
Linked PRs
Bug report
Bug description:
Bug report
Bug summary
While reviewing the Buffer API implementation in
Objects/abstract.c, I noticed two potential integer overflow vulnerabilities explicitly marked withXXXcomments by developers.These overflows occur in
PyObject_CopyDatawhen dealing with multi-dimensional buffers. If a buffer with artificially large dimensions or shape is provided, it can cause integer wrapping, leading to undersized memory allocations or incorrect element counts.Code snippets
Objects/abstract.c:If
view_src.ndimis large enough,sizeof(Py_ssize_t) * view_src.ndimwill overflow, resulting in a tiny allocation. The subsequent initialization loop will write out of bounds.Objects/abstract.c:If the dimensions in
view_src.shapeare large, multiplying them together can easily overflow theelementsvariable (a signedPy_ssize_t), resulting in a negative or truncated value, causing the subsequentwhile (elements--)loop to behave incorrectly.Proposed Solution
Use standard overflow checking functions before performing the multiplications. For the allocation, consider using
PyMem_NeworPyMem_Mallocalongside an overflow check againstPY_SSIZE_T_MAX.CPython versions tested on:
Currently present on the
mainbranch.CPython versions tested on:
CPython main branch
Operating systems tested on:
Windows
Linked PRs
PyObject_CopyData#153690