Potential Null pointer access in CMS_Conservative_increment_obj

[awen-li]

Description

In CMS_Conservative_init, w is received from Python code.
Its size is not validated hence "self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));" may fail , which cause the Null pointer.
self->table[i] would be accessed in CMS_Conservative_increment_obj, which make the Python crash down.

Steps/Code/Corpus to Reproduce

static int
CMS_VARIANT(_init)(CMS_TYPE *self, PyObject *args, PyObject *kwds)
{
    .........................
    for (i = 0; i < self->depth; i++)
    {
        self->table[i] = (CMS_CELL_TYPE *) calloc(self->width, sizeof(CMS_CELL_TYPE));
        printf ("[%d]self->table[%d] = %p \r\n", i, i, self->table[i]);
    }
    ...........................

Optional call-path: increment -> CMS_Log1024_increment -> CMS_Conservative_increment_obj

Expected Results

when w is set as an arbitrary number, Python can not crash down.

Actual Results

crash

Versions

the main branch

[awen-li]

PoC:

from bounter import CountMinSketch

Cms = None
LogCounting = None

def setUp(LogCounting = None):
return CountMinSketch(1, width=2**31, depth=32, log_counting=LogCounting)

Cms = setUp ()
for i in range (0, 100):
Cms.increment('foo')
Cms.increment('bar')

print (Cms['foo'])
print (Cms['bar'])

Crash: Segmentation fault (core dumped)

[piskvorky]

@Daybreak2019 can you open a PR with a fix? Thanks!

[eric-wieser]

FWIW, this seems to have had a CVE opened against it: https://nvd.nist.gov/vuln/detail/CVE-2021-41497