Potential Security Vulnerabilities: Type Mismatch in PyArg_ParseTuple for Size Parameter

[yhrscholar]

Description:

In pygit2/src/odb_backend.c, the C functions pgit_odb_backend_read and pgit_odb_backend_read_prefix are used as callbacks for libgit2's custom ODB backend mechanism.

The code passes the function parameter sz (which is of type size_t * ) as the argument intended to receive the size:

//pgit_odb_backend_read
if (!PyArg_ParseTuple(result, "ny#", &type_value, &bytes, sz) || !bytes) { ... }

//pgit_odb_backend_read_prefix
if (!PyArg_ParseTuple(result, "ny#O", &type_value, &bytes, sz, &py_oid_out) || !bytes) { ... }

This constitutes passing an incorrect pointer type (size_t * instead of Py_ssize_t *) to PyArg_ParseTuple.

Version

commit hash: cb10c2e

[yhrscholar]

Impact

PyArg_ParseTuple will attempt to write a Py_ssize_t value into memory intended for a size_t. This can lead to:
Memory corruption if sizeof(Py_ssize_t) differs from sizeof(size_t) (potentially causing a buffer overflow during the write within PyArg_ParseTuple if Py_ssize_t is larger).

So, in the following code,

//pgit_odb_backend_read
memcpy(*ptr, bytes, *sz);

//pgit_odb_backend_read_prefix
memcpy(*ptr, bytes, *sz);

If the incorrect *sz value is excessively large, the memcpy call could read past the end of the source buffer (bytes) or write past the end of the newly allocated destination buffer (*ptr), leading to crashes or further memory corruption.

[yhrscholar]

Hi team,

Could you please confirm the bug at your earliest convenience? Thank you.