8000 Potential Security Vulnerabilities: Type Mismatch in PyArg_ParseTuple for Size Parameter · Issue #1368 · libgit2/pygit2 · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Potential Security Vulnerabilities: Type Mismatch in PyArg_ParseTuple for Size Parameter #1368

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yhrscholar opened this issue Apr 23, 2025 · 2 comments
Open

Potential Security Vulnerabilities: Type Mismatch in PyArg_ParseTuple for Size Parameter #1368

yhrscholar opened this issue Apr 23, 2025 · 2 comments

Comments

@yhrscholar
Copy link

Description:

In pygit2/src/odb_backend.c, the C functions pgit_odb_backend_read and pgit_odb_backend_read_prefix are used as callbacks for libgit2's custom ODB backend mechanism.

The code passes the function parameter sz (which is of type size_t * ) as the argument intended to receive the size:

//pgit_odb_backend_read
if (!PyArg_ParseTuple(result, "ny#", &type_value, &bytes, sz) || !bytes) { ... }

//pgit_odb_backend_read_prefix
if (!PyArg_ParseTuple(result, "ny#O", &type_value, &bytes, sz, &py_oid_out) || !bytes) { ... }

This constitutes passing an incorrect pointer type (size_t * instead of Py_ssize_t *) to PyArg_ParseTuple.

Version

commit hash: cb10c2e
@yhrscholar
Copy link
Author

Impact

PyArg_ParseTuple will attempt to write a Py_ssize_t value into memory intended for a size_t. This can lead to:
Memory corruption if sizeof(Py_ssize_t) differs from sizeof(size_t) (potentially causing a buffer overflow during the write within PyArg_ParseTuple if Py_ssize_t is larger).

So, in the following code,

//pgit_odb_backend_read
memcpy(*ptr, bytes, *sz);

//pgit_odb_backend_read_prefix
memcpy(*ptr, bytes, *sz);

If the incorrect *sz value is excessively large, the memcpy call could read past the end of the source buffer (bytes) or write past the end of the newly allocated destination buffer (*ptr), leading to crashes or further memory corruption.

@yhrscholar
Copy link
Author

Hi team,

Could you please confirm the bug at your earliest convenience? Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@yhrscholar
0