Modules/cjkcodecs/_codecs_iso2022.c - read out of bounds

[stasos24]

Bug report

==2729==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffef35c8f14 at pc 0x7f3e0254c47c bp 0x7ffef35c8e50 sp 0x7ffef35c8e48
READ of size 4 at 0x7ffef35c8f14 thread T0
    #0 0x7f3e0254c47b in jisx0213_encoder Modules/cjkcodecs/_codecs_iso2022.c:808
    #1 0x7f3e0254c47b in jisx0213_2004_1_encoder_paironly Modules/cjkcodecs/_codecs_iso2022.c:894
    #2 0x7f3e025469a9 in iso2022_encode Modules/cjkcodecs/_codecs_iso2022.c:196
    #3 0x7f3e02536457 in multibytecodec_encode Modules/cjkcodecs/multibytecodec.c:523
    #4 0x7f3e0253829e in _multibytecodec_MultibyteCodec_encode_impl Modules/cjkcodecs/multibytecodec.c:620
    #5 0x7f3e0253829e in _multibytecodec_MultibyteCodec_encode Modules/cjkcodecs/clinic/multibytecodec.c.h:91
    #6 0x55e4cc690361 in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:438
    #7 0x55e4cc5b029e in PyObject_Call (/home/kali/Downloads/cpython/python+0x3e629e)
    #8 0x55e4cc841026 in _PyCodec_EncodeInternal Python/codecs.c:419
    #9 0x55e4cc9cb18f in _codecs_encode_impl Modules/_codecsmodule.c:132
    #10 0x55e4cc9cb18f in _codecs_encode Modules/clinic/_codecsmodule.c.h:166
    #11 0x55e4cc690361 in cfunction_vectorcall_FASTCALL_KEYWORDS Objects/methodobject.c:438
    #12 0x55e4cc5af6bf in _PyObject_VectorcallTstate Include/internal/pycore_call.h:92
    #13 0x55e4cc5af6bf in PyObject_Vectorcall Objects/call.c:301
    #14 0x55e4cc4753f6 in _PyEval_EvalFrameDefault Python/generated_cases.c.h:2982
    #15 0x55e4cc83c811 in _PyEval_EvalFrame Include/internal/pycore_ceval.h:88
    #16 0x55e4cc83c811 in _PyEval_Vector Python/ceval.c:1716
    #17 0x55e4cc83c811 in PyEval_EvalCode Python/ceval.c:578
    #18 0x55e4cc91aebd in run_eval_code_obj Python/pythonrun.c:1702
    #19 0x55e4cc91aebd in run_mod Python/pythonrun.c:1723
    #20 0x55e4cc91e6ca in pyrun_file Python/pythonrun.c:1617
    #21 0x55e4cc91e6ca in _PyRun_SimpleFileObject Python/pythonrun.c:439
    #22 0x55e4cc91f17a in _PyRun_AnyFileObject Python/pythonrun.c:78
    #23 0x55e4cc976719 in pymain_run_file_obj Modules/main.c:360
    #24 0x55e4cc976719 in pymain_run_file Modules/main.c:379
    #25 0x55e4cc976719 in pymain_run_python Modules/main.c:610
    #26 0x55e4cc977ebc in Py_RunMain Modules/main.c:689
    #27 0x55e4cc977ebc in pymain_main Modules/main.c:719
    #28 0x55e4cc977ebc in Py_BytesMain Modules/main.c:743
    #29 0x7f3e052d6209 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #30 0x7f3e052d62bb in __libc_start_main_impl ../csu/libc-start.c:389
    #31 0x55e4cc49c3f0 in _start (/home/kali/Downloads/cpython/python+0x2d23f0)

Address 0x7ffef35c8f14 is located in stack of thread T0 at offset 52 in frame
    #0 0x7f3e0254644f in iso2022_encode Modules/cjkcodecs/_codecs_iso2022.c:157

  This frame has 2 object(s):
    [48, 52) 'c' (line 161) <== Memory access at offset 52 overflows this variable
    [64, 72) 'length' (line 184)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow Modules/cjkcodecs/_codecs_iso2022.c:808 in jisx0213_encoder
Shadow bytes around the buggy address:
  0x10005e6b1190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b11a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b11b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b11c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b11d0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10005e6b11e0: f1 f1[04]f2 00 f3 f3 f3 00 00 00 00 00 00 00 00
  0x10005e6b11f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b1200: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 f3
  0x10005e6b1210: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10005e6b1220: 00 00 00 00 f1 f1 f1 f1 f8 f2 f2 f2 00 f2 f2 f2
  0x10005e6b1230: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2729==ABORTING

Your environment

• CPython versions tested on: 3.12, 3.11, 3.10
• Operating system and architecture: x86_x64 NAME="Kali GNU/Linux" "2022.3" (Reproduced also on other debian OS)

Steps to reproduce

• CFLAGS="-fsanitize=address" CXXFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address" ./configure
• make
• copy test.py and crashfile to /cpython directory
• run ./python test.py

Prerequisites

crashfile.txt
test.py

import codecs
f=open('crashfile.txt', 'r')
text=f.read()
print(text)
codecs.encode(text, encoding='iso2022_jp_2004', errors='ignore')

Linked PRs

• gh-101180: PR demonstrating the ASAN failure #101720
• gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds #111695
• [3.12] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) #111769
• [3.11] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 co… #111771
• [3.10] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) #111779
• [3.9] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) #111780
• [3.8] gh-101180: Fix a bug where iso2022_jp_3 and iso2022_jp_2004 codecs read out of bounds (gh-111695) #111781

[gpshead]

I turned your report into a PR, It should show up in the CI address sanitizer run there. (confirmed locally)

[gpshead]

@hyeshik and @vstinner - thoughts?