Skip to content

py/objdeque.c: Fix buffer overflow in deque_subscr(). #16108

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 4, 2024
Merged

py/objdeque.c: Fix buffer overflow in deque_subscr(). #16108

merged 2 commits into from
Nov 4, 2024

Conversation

jansturm92
Copy link
Contributor

Summary

This PR resolves an off-by-one buffer overflow in py/objdeque.c when using deque with indexing. The error occurs when appending data beyond the size of the allocated buffer (discarding items from the opposite end) without overflow checking.

Reproduction

The following code demonstrates the issue on all boards/ports:

from collections import deque

d = deque((), 2)

for i in range(4):
    d.append(i)
    print(f"{i=} {d[-1]=}")
Expected Output
i=0 d[-1]=0
i=1 d[-1]=1
i=2 d[-1]=2
i=3 d[-1]=3
Actual Output
i=0 d[-1]=0
i=1 d[-1]=1
i=2 d[-1]=2
Traceback (most recent call last):
  File "/tmp/deque_fail.py", line 7, in <module>
TypeError: 'deque' object isn't subscriptable

Root Cause

The issue arises from an off-by-one error in deque_subscr(). If index_val equals self->alloc, the necessary index correction index_val -= self->alloc is skipped, leading to an out-of-bounds access when self->items[index_val] is called. Since self->items has a length of self->alloc, this results in a buffer overflow.

This fix ensures that the index correction is applied whenever index_val >= self->alloc, preventing access beyond the allocated buffer size.

Testing

Tested on unix and esp32 port.

@codecov Codecov
Copy link

codecov bot commented Oct 29, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 98.57%. Comparing base (0e490b7) to head (c88a9d6).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master   #16108   +/-   ##
=======================================
  Coverage   98.57%   98.57%           
=======================================
  Files         164      164           
  Lines       21345    21345           
=======================================
+ Hits        21040    21041    +1     
+ Misses        305      304    -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@github-actions GitHub Actions
Copy link

Code size report:

   bare-arm:    +0 +0.000% 
minimal x86:    +0 +0.000% 
   unix x64:    +0 +0.000% standard
      stm32:    +0 +0.000% PYBV10
     mimxrt:    +0 +0.000% TEENSY40
        rp2:    +0 +0.000% RPI_PICO_W
       samd:    +0 +0.000% ADAFRUIT_ITSYBITSY_M4_EXPRESS
  qemu rv32:    +0 +0.000% VIRT_RV32

@dpgeorge
Copy link
Member

Thanks for the fix!

I've pushed a second commit to this PR, to add your test case (and another similar test).

@dpgeorge dpgeorge added the py-core Relates to py/ directory in source label Oct 30, 2024
jansturm92 and others added 2 commits November 4, 2024 11:21
@jansturm92 @dpgeorge
py/objdeque: Fix buffer overflow in deque_subscr.
7e1098b 
In `deque_subscr()`, if `index_val` equals `self->alloc`, the index
correction `index_val -= self->alloc` does not execute, leading to an
out-of-bounds access in `self->items[index_val]`.

The fix in this commit ensures that the index correction is applied
whenever `index_val >= self->alloc`, preventing access beyond the allocated
buffer size.

Signed-off-by: Jan Sturm <jansturm92@googlemail.com>
@dpgeorge
tests/basics/deque2.py: Add tests for deque subscript-from-end.
c88a9d6 
Signed-off-by: Damien George <damien@micropython.org>
@dpgeorge dpgeorge merged commit c88a9d6 into micropython:master Nov 4, 2024
64 checks passed
@jansturm92 jansturm92 deleted the fix-deque branch November 4, 2024 17:20
@dpgeorge dpgeorge added this to the release-1.24.1 milestone Nov 12, 2024
@bablokb bablokb mentioned this pull request May 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dpgeorge dpgeorge dpgeorge approved these changes

Assignees
No one assigned
Labels
py-core Relates to py/ directory in source
Projects
None yet
Milestone
release-1.24.1
Development

Successfully merging this pull request may close these issues.
2 participants
@jansturm92 @dpgeorge
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy