Insecure string comparison (incomplete comparison) in _convert_from_str of descriptor.c

[awen-li]

Reproducing code example:

Snippet:

    /* Check for a deprecated Numeric-style typecode */
    /* `Uint` has deliberately weird uppercasing */
    char *dep_tps[] = {"Bytes", "Datetime64", "Str", "Uint"};
    int ndep_tps = sizeof(dep_tps) / sizeof(dep_tps[0]);
    for (int i = 0; i < ndep_tps; ++i) {
        char *dep_tp = dep_tps[i];
        if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {   ------> '\0' not considered here, should be strlen(dep_tp)+1. (value of "type" may come from external modules)
            /* Deprecated 2020-06-09, NumPy 1.20 */
            if (DEPRECATE("Numeric-style type codes are "
                          "deprecated and will result in "
                          "an error in the future.") < 0) {
                goto fail;
            }
        }
    }

Error message:

When we run our analysis tool on NumPy, an incomplete comparison problem was reported, see details below:
File: numpy/core/src/multiarray/descriptor.c
Function: _convert_from_str (line 1727 : 1740)
Optional call-path: PyArray_DescrAlignConverter -> _convert_from_any -> _convert_from_str
Details in description

NumPy/Python version information:

the main branch of NumPy

[seberg]

I doubt it matters (its not like this is relevant for security or anything). But adding the +1 would be good, also to avoid the slightly wrong things being copied.

[NectDz]

Do you mind telling me the tool that was used to reproduce to get that error message?

[NectDz]

1. Forked numpy and then cloned it
2. Ran python tests using "python3 runtests.py -v" and the build passed
3. The change I made was the following

diff --git a/numpy/core/src/multiarray/descriptor.c b/numpy/core/src/multiarray/descriptor.c
index 58aa608c3..f6202c7ea 100644
--- a/numpy/core/src/multiarray/descriptor.c
+++ b/numpy/core/src/multiarray/descriptor.c
@@ -1729,7 +1729,7 @@ _convert_from_str(PyObject *obj, int align)
         for (int i = 0; i < ndep_tps; ++i) {
             char *dep_tp = dep_tps[i];
 
-            if (strncmp(type, dep_tp, strlen(dep_tp)) == 0) {
+            if (strncmp(type, dep_tp, strlen(dep_tp)) + 1) {
                 /* Deprecated 2020-06-09, NumPy 1.20 */
                 if (DEPRECATE("Numeric-style type codes are "
                               "deprecated and will result in "

4. Ran the tests again and received the following error: ERROR numpy/core/tests/test_regression.py - TypeError: data type 'int32' not understood

Do you know where I might of gone wrong and why I am seeing this error?

[eric-wieser]

That change is nonsense, you removed the ==.

[seberg]

You removed the == 0, that would invert the logic.