Messages (8) msg271796 - (view) Author: Steve Fink (Steve Fink) Date: 2016-08-01 23:52

When attempting to run |hg chistedit|, which uses the python curses module, I am getting *** stack smashing detected ***: /usr/bin/python terminated

The problem is in PyCursesWindow_Box in _cursesmodule.c:

        if (!PyArg_ParseTuple(args,"ll;vertint,horint", &ch1, &ch2))
            return NULL;

ch1 and ch2 are of type 'chtype', which is a 4-byte integer on my platform. (I am on a fresh install of Fedora 24 x86_64.) The format string 'l' is writing 8 bytes. It is hard to fit 8 bytes into a 4 byte variable.

I scanned through the rest of the file. Most places are very careful about this; if needed, they'll parse into a 'long' temporary and then assign. But here's another one in PyCurses_UngetMouse:

    MEVENT event;
    PyCursesInitialised;
    if (!PyArg_ParseTuple(args, "hiiil",
                          &event.id,
                          &event.x, &event.y, &event.z,
                          (int *) &event.bstate))
        return NULL;

event.bstate is of type mmask_t, which is also 4 bytes.

I did not find any more in that file.

% rpm -q python-libs
python-libs-2.7.12-1.fc24.x86_64

msg273248 - (view) Author: Steve Fink (Steve Fink) Date: 2016-08-20 22:26

I'm running now (successfully) with a simpler patch, just changing it to parse format 'i', but this patch is probably a bit safer.

msg305386 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * Date: 2017-11-01 17:01

Thank you for your patch Steve.

It is better to use PyCurses_ConvertToChtype() which is used for parsing all chtype arguments.

msg305394 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * Date: 2017-11-01 19:23

New changeset aad7ac10af6ed40fc21b842e04be0b04b2915d4a by Serhiy Storchaka (Miss Islington (bot)) in branch '3.6':
bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4221)
https://github.com/python/cpython/commit/aad7ac10af6ed40fc21b842e04be0b04b2915d4a

msg305395 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * Date: 2017-11-01 19:24

New changeset b694770a2b23cd485c98bf673a8b2dc1a865d9df by Serhiy Storchaka (Miss Islington (bot)) in branch '2.7':
bpo-27666: Fixed stack corruption in curses.box() and curses.ungetmouse(). (GH-4220) (#4222)
https://github.com/python/cpython/commit/b694770a2b23cd485c98bf673a8b2dc1a865d9df

msg305704 - (view) Author: STINNER Victor (vstinner) * Date: 2017-11-07 01:03

The Python 2.7 backport (commit b694770a2b23cd485c98bf673a8b2dc1a865d9df) is wrong. The _curses module cannot be compiled anymore:

Example of compilation errors:

/home/haypo/prog/python/2.7/Modules/_cursesmodule.c: In function 'PyCursesWindow_Box':
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:39: warning: passing argument 1 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                       ^~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'PyObject * {aka struct _object *}' but argument is of type 'PyCursesWindowObject * {aka struct <anonymous> *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:45: warning: passing argument 2 of 'PyCurses_ConvertToChtype' from incompatible pointer type [-Wincompatible-pointer-types]
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
                                             ^~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: expected 'chtype * {aka unsigned int *}' but argument is of type 'PyObject * {aka struct _object *}'
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:649:14: error: too many arguments to function 'PyCurses_ConvertToChtype'
         if (!PyCurses_ConvertToChtype(self, temp1, &ch1)) {
              ^~~~~~~~~~~~~~~~~~~~~~~~
/home/haypo/prog/python/2.7/Modules/_cursesmodule.c:195:1: note: declared here
 PyCurses_ConvertToChtype(PyObject *obj, chtype *ch)
 ^~~~~~~~~~~~~~~~~~~~~~~~

msg305717 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * Date: 2017-11-07 07:55

New changeset 69ea4b4deb123c9a3c986b7afb85183732784f4f by Serhiy Storchaka in branch '2.7':
Fix bpo-27666 backporting error in _cursesmodule.c (#4305)
https://github.com/python/cpython/commit/69ea4b4deb123c9a3c986b7afb85183732784f4f

msg305718 - (view) Author: Serhiy Storchaka (serhiy.storchaka) * Date: 2017-11-07 07:56

Thank you for catching this Victor.

History Date User Action Args 2022-04-11 14:58:34adminsetgithub: 71853 2017-11-07 07:56:22serhiy.storchakasetmessages: + msg305718 2017-11-07 07:55:40serhiy.storchakasetstatus: open -> closed
resolution: fixed
messages: + msg305717

stage: patch review -> resolved

2017-11-07 07:09:06serhiy.storchakasetstage: resolved -> patch review
pull_requests: + pull_request4268 2017-11-07 01:03:45vstinnersetstatus: closed -> open

nosy: + vstinner
messages: + msg305704

resolution: fixed -> (no value)

2017-11-01 19:26:21serhiy.storchakasetstatus: open -> closed
resolution: fixed
stage: patch review -> resolved 2017-11-01 19:24:02serhiy.storchakasetmessages: + msg305395 2017-11-01 19:24:02python-devsetpull_requests: + pull_request4190 2017-11-01 19:23:52serhiy.storchakasetmessages: + msg305394 2017-11-01 18:49:58python-devsetpull_requests: + pull_request4189 2017-11-01 17:02:05serhiy.storchakasetassignee: serhiy.storchaka
versions: + Python 3.6, Python 3.7 2017-11-01 17:01:54serhiy.storchakasetmessages: + msg305386 2017-11-01 16:54:43serhiy.storchakasetstage: needs patch -> patch review
pull_requests: + pull_request4188 2016-08-20 22:26:22Steve Finksetfiles: + python-2.7.12-curses-argparse.patch
keywords: + patch
messages: + msg273248
2016-08-02 13:27:45serhiy.storchakasetnosy: + serhiy.storchaka

stage: needs patch

2016-08-02 08:41:24SilentGhostsetnosy: + twouters
components: + Extension Modules, - Library (Lib)
2016-08-01 23:52:30Steve Finkcreate