Headline
CVE-2021-33430: Potential buffer overflow in PyArray_NewFromDescr_int of ctors.c · Issue #18939 · numpy/numpy
A Buffer Overflow vulnerability exists in NumPy 1.9.x in the PyArray_NewFromDescr_int function of ctors.c when specifying arrays of large dimensions (over 32) from Python code, which could let a malicious user cause a Denial of Service.
PyArray_NewFromDescr_int(...., **int nd**,......)
{
...............
if (descr->subarray) {
PyObject *ret;
npy_intp **newdims**[2*NPY_MAXDIMS];
npy_intp *newstrides = NULL;
**memcpy**(newdims, dims, nd*sizeof(npy_intp));
if (strides) {
newstrides = newdims + NPY_MAXDIMS;
**memcpy**(newstrides, strides, nd*sizeof(npy_intp));
}
........
}
When we run our analysis tool on NumPy, a potential buffer-overflow problem was reported. See details below:
File: numpy/core/src/multiarray/ctors.c
Function: PyArray_NewFromDescr_int
Details in description
Possible call path:
1. array_new -> PyArray_NewFromDescr_int
2. PyArray_Zeros -> PyArray_NewFromDescr_int
3. array_fromfile -> PyArray_FromFile -> PyArray_NewFromDescr_int