Fix CVE-2021-3177 for Python 3.8: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177 Patch copied from upstream source repository: https://github.com/python/cpython/commit/ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f From ece5dfd403dac211f8d3c72701fe7ba7b7aa5b5f Mon Sep 17 00:00:00 2001 From: "Miss Islington (bot)" <31488909+miss-islington@users.noreply.github.com> Date: Mon, 18 Jan 2021 13:28:52 -0800 Subject: [PATCH] closes bpo-42938: Replace snprintf with Python unicode formatting in ctypes param reprs. (GH-24248) (cherry picked from commit 916610ef90a0d0761f08747f7b0905541f0977c7) Co-authored-by: Benjamin Peterson Co-authored-by: Benjamin Peterson --- Lib/ctypes/test/test_parameters.py | 43 ++++++++++++++++ .../2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst | 2 + Modules/_ctypes/callproc.c | 51 +++++++------------ 3 files changed, 64 insertions(+), 32 deletions(-) create mode 100644 Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst diff --git a/Lib/ctypes/test/test_parameters.py b/Lib/ctypes/test/test_parameters.py index e4c25fd880cef..531894fdec838 100644 --- a/Lib/ctypes/test/test_parameters.py +++ b/Lib/ctypes/test/test_parameters.py @@ -201,6 +201,49 @@ def __dict__(self): with self.assertRaises(ZeroDivisionError): WorseStruct().__setstate__({}, b'foo') + def test_parameter_repr(self): + from ctypes import ( + c_bool, + c_char, + c_wchar, + c_byte, + c_ubyte, + c_short, + c_ushort, + c_int, + c_uint, + c_long, + c_ulong, + c_longlong, + c_ulonglong, + c_float, + c_double, + c_longdouble, + c_char_p, + c_wchar_p, + c_void_p, + ) + self.assertRegex(repr(c_bool.from_param(True)), r"^$") + self.assertEqual(repr(c_char.from_param(97)), "") + self.assertRegex(repr(c_wchar.from_param('a')), r"^$") + self.assertEqual(repr(c_byte.from_param(98)), "") + self.assertEqual(repr(c_ubyte.from_param(98)), "") + self.assertEqual(repr(c_short.from_param(511)), "") + self.assertEqual(repr(c_ushort.from_param(511)), "") + self.assertRegex(repr(c_int.from_param(20000)), r"^$") + self.assertRegex(repr(c_uint.from_param(20000)), r"^$") + self.assertRegex(repr(c_long.from_param(20000)), r"^$") + self.assertRegex(repr(c_ulong.from_param(20000)), r"^$") + self.assertRegex(repr(c_longlong.from_param(20000)), r"^$") + self.assertRegex(repr(c_ulonglong.from_param(20000)), r"^$") + self.assertEqual(repr(c_float.from_param(1.5)), "") + self.assertEqual(repr(c_double.from_param(1.5)), "") + self.assertEqual(repr(c_double.from_param(1e300)), "") + self.assertRegex(repr(c_longdouble.from_param(1.5)), r"^$") + self.assertRegex(repr(c_char_p.from_param(b'hihi')), "^$") + self.assertRegex(repr(c_wchar_p.from_param('hihi')), "^$") + self.assertRegex(repr(c_void_p.from_param(0x12)), r"^$") + ################################################################ if __name__ == '__main__': #diff --git a/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst #new file mode 100644 #index 0000000000000..7df65a156feab #--- /dev/null #+++ b/Misc/NEWS.d/next/Security/2021-01-18-09-27-31.bpo-42938.4Zn4Mp.rst #@@ -0,0 +1,2 @@ #+Avoid static buffers when computing the repr of :class:`ctypes.c_double` and #+:class:`ctypes.c_longdouble` values. diff --git a/Modules/_ctypes/callproc.c b/Modules/_ctypes/callproc.c index a9b8675cd951b..de75918d49f37 100644 --- a/Modules/_ctypes/callproc.c +++ b/Modules/_ctypes/callproc.c @@ -484,58 +484,47 @@ is_literal_char(unsigned char c) static PyObject * PyCArg_repr(PyCArgObject *self) { - char buffer[256]; switch(self->tag) { case 'b': case 'B': - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.b); - break; case 'h': case 'H': - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.h); - break; case 'i': case 'I': - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.i); - break; case 'l': case 'L': - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.l); - break; case 'q': case 'Q': - sprintf(buffer, -#ifdef MS_WIN32 - "", -#else - "", -#endif + return PyUnicode_FromFormat("", self->tag, self->value.q); - break; case 'd': - sprintf(buffer, "", - self->tag, self->value.d); - break; - case 'f': - sprintf(buffer, "", - self->tag, self->value.f); - break; - + case 'f': { + PyObject *f = PyFloat_FromDouble((self->tag == 'f') ? self->value.f : self->value.d); + if (f == NULL) { + return NULL; + } + PyObject *result = PyUnicode_FromFormat("", self->tag, f); + Py_DECREF(f); + return result; + } case 'c': if (is_literal_char((unsigned char)self->value.c)) { - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.c); } else { - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, (unsigned char)self->value.c); } - break; /* Hm, are these 'z' and 'Z' codes useful at all? Shouldn't they be replaced by the functionality of c_string @@ -544,22 +533,20 @@ PyCArg_repr(PyCArgObject *self) case 'z': case 'Z': case 'P': - sprintf(buffer, "", + return PyUnicode_FromFormat("", self->tag, self->value.p); break; default: if (is_literal_char((unsigned char)self->tag)) { - sprintf(buffer, "", + return PyUnicode_FromFormat("", (unsigned char)self->tag, (void *)self); } else { - sprintf(buffer, "", + return PyUnicode_FromFormat("", (unsigned char)self->tag, (void *)self); } - break; } - return PyUnicode_FromString(buffer); } static PyMemberDef PyCArgType_members[] = {