Vigil@nce - Python: incorrect decoding of UTF-16
May 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When a Python application decodes UTF-16 data containing errors, a
desynchronization occurs, which leads to a memory read or
corruption.
Severity: 2/4
Creation date: 25/04/2012
IMPACTED PRODUCTS
– Microsoft Windows - plateform
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The UTF-16 encoding is used to represent Unicode characters on two
bytes.
When UTF-16 data contain invalid characters, the
unicode_decode_call_errorhandler() function is called. However, it
does not update the aligned_end variable. Data which are processed
later are thus incorrectly managed.
When a Python application decodes UTF-16 data containing errors, a
desynchronization therefore occurs, which leads to a memory read
or corruption.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Python-incorrect-decoding-of-UTF-16-11568