From 79d5acbd01fed21e1c8e46b06690072375de0bfe Mon Sep 17 00:00:00 2001 From: Damien George Date: Fri, 1 Sep 2017 10:53:29 +1000 Subject: py/modstruct: Check and prevent buffer-read overflow in struct unpacking Prior to this patch, the size of the buffer given to unpack/unpack_from was checked for being too small by using the count of the arguments, not their actual size. For example, a format spec of '4I' would only check that there was 4 bytes available, not 16; and 'I' would check for 1 byte, not 4. This bug is fixed in this patch by calculating the total size of the format spec at the start of the unpacking function. This function anyway needs to calculate the number of items at the start, so calculating the total size can be done at the same time. --- tests/basics/struct2.py | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'tests/basics/struct2.py') diff --git a/tests/basics/struct2.py b/tests/basics/struct2.py index 3b9dd5c1f6..e3336c0c78 100644 --- a/tests/basics/struct2.py +++ b/tests/basics/struct2.py @@ -25,6 +25,12 @@ print(struct.calcsize('0s1s0H2H')) print(struct.unpack('<0s1s0H2H', b'01234')) print(struct.pack('<0s1s0H2H', b'abc', b'abc', 258, 515)) +# check that we get an error if the buffer is too small +try: + struct.unpack('2H', b'\x00\x00') +except: + print('Exception') + # check that unknown types raise an exception try: struct.unpack('z', b'1') -- cgit v1.2.3