bounter icon indicating copy to clipboard operation
bounter copied to clipboard

Published 20 hours ago verified publisher icon piskvorky

Potential Null pointer access in CMS_Conservative_increment_obj

Open awen-li opened this issue 3 years ago • 3 comments

Description

In CMS_Conservative_init, w is received from Python code. Its size is not validated hence "self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));" may fail , which cause the Null pointer. self->table[i] would be accessed in CMS_Conservative_increment_obj, which make the Python crash down.

Steps/Code/Corpus to Reproduce

static int
CMS_VARIANT(_init)(CMS_TYPE *self, PyObject *args, PyObject *kwds)
{
    .........................
    for (i = 0; i < self->depth; i++)
    {
        self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));
        printf ("[%d]self->table[%d] = %p \r\n", i, i, self->table[i]);
    }
    ...........................

Optional call-path: increment -> CMS_Log1024_increment -> CMS_Conservative_increment_obj

Expected Results

when w is set as an arbitrary number, Python can not crash down.

Actual Results

crash

Versions

the main branch

awen-li avatar May 14 '21 08:05 awen-li

PoC:

from bounter import CountMinSketch

Cms = None LogCounting = None

def setUp(LogCounting = None): return CountMinSketch(1, width=2**31, depth=32, log_counting=LogCounting)

Cms = setUp () for i in range (0, 100): Cms.increment('foo') Cms.increment('bar')

print (Cms['foo']) print (Cms['bar'])

Crash: Segmentation fault (core dumped)

awen-li avatar Sep 16 '21 23:09 awen-li

@Daybreak2019 can you open a PR with a fix? Thanks!

piskvorky avatar Sep 17 '21 07:09 piskvorky

FWIW, this seems to have had a CVE opened against it: https://nvd.nist.gov/vuln/detail/CVE-2021-41497

eric-wieser avatar Jan 13 '22 14:01 eric-wieser