Mirror
/
cpython
mirror of https://github.com/python/cpython
4
1
Fork 0
Code Issues Releases Wiki Activity

Merged revisions 81047 via svnmerge from 

svn+ssh://pythondev@svn.python.org/python/branches/py3k

................
  r81047 | mark.dickinson | 2010-05-10 17:27:45 +0100 (Mon, 10 May 2010) | 10 lines

  Merged revisions 81045 via svnmerge from
  svn+ssh://pythondev@svn.python.org/python/trunk

  ........
    r81045 | mark.dickinson | 2010-05-10 17:07:42 +0100 (Mon, 10 May 2010) | 3 lines

    Issue #8674: Fix incorrect and UB-inducing overflow checks in audioop
    module.  Thanks Tomas Hoger for the patch.
  ........
................
This commit is contained in:
Mark Dickinson 2010-05-10 16:39:55 +00:00
parent 7f14f0d8a0
commit 587cb1a2b2
3 changed files with 25 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
Misc/ACKS
View File

@ -328,6 +328,7 @@ Joerg-Cyril Hoehle
Gregor Hoffleit Gregor Hoffleit
Chris Hoffman Chris Hoffman
Albert Hofkamp Albert Hofkamp
Tomas Hoger
Jonathan Hogg Jonathan Hogg
Gerrit Holl Gerrit Holl
Shane Holloway Shane Holloway

3
Misc/NEWS
View File

@ -40,6 +40,9 @@ Core and Builtins
Library Library
------- -------
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
overflow checks in the audioop module.
- Issue #8571: Fix an internal error when compressing or decompressing a - Issue #8571: Fix an internal error when compressing or decompressing a
chunk larger than 1GB with the zlib module's compressor and decompressor chunk larger than 1GB with the zlib module's compressor and decompressor
objects. objects.

49
Modules/audioop.c
View File

@ -834,7 +834,7 @@ static PyObject *
audioop_tostereo(PyObject *self, PyObject *args) audioop_tostereo(PyObject *self, PyObject *args)
{ {
signed char *cp, *ncp; signed char *cp, *ncp;
int len, new_len, size, val1, val2, val = 0; int len, size, val1, val2, val = 0;
double fac1, fac2, fval, maxval; double fac1, fac2, fval, maxval;
PyObject *rv; PyObject *rv;
int i; int i;
@ -851,14 +851,13 @@ audioop_tostereo(PyObject *self, PyObject *args)
return 0; return 0;
} }
new_len = len*2; if (len > INT_MAX/2) {
if (new_len < 0) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
rv = PyBytes_FromStringAndSize(NULL, new_len); rv = PyBytes_FromStringAndSize(NULL, len*2);
if ( rv == 0 ) if ( rv == 0 )
return 0; return 0;
ncp = (signed char *)PyBytes_AsString(rv); ncp = (signed char *)PyBytes_AsString(rv);
@ -1021,7 +1020,7 @@ audioop_lin2lin(PyObject *self, PyObject *args)
{ {
signed char *cp; signed char *cp;
unsigned char *ncp; unsigned char *ncp;
int len, new_len, size, size2, val = 0; int len, size, size2, val = 0;
PyObject *rv; PyObject *rv;
int i, j; int i, j;
@ -1035,13 +1034,12 @@ audioop_lin2lin(PyObject *self, PyObject *args)
return 0; return 0;
} }
new_len = (len/size)*size2; if (len/size > INT_MAX/size2) {
if (new_len < 0) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
rv = PyBytes_FromStringAndSize(NULL, new_len); rv = PyBytes_FromStringAndSize(NULL, (len/size)*size2);
if ( rv == 0 ) if ( rv == 0 )
return 0; return 0;
ncp = (unsigned char *)PyBytes_AsString(rv); ncp = (unsigned char *)PyBytes_AsString(rv);
@ -1077,7 +1075,6 @@ audioop_ratecv(PyObject *self, PyObject *args)
int chan, d, *prev_i, *cur_i, cur_o; int chan, d, *prev_i, *cur_i, cur_o;
PyObject *state, *samps, *str, *rv = NULL; PyObject *state, *samps, *str, *rv = NULL;
int bytes_per_frame; int bytes_per_frame;
size_t alloc_size;
weightA = 1; weightA = 1;
weightB = 0; weightB = 0;
@ -1120,14 +1117,13 @@ audioop_ratecv(PyObject *self, PyObject *args)
inrate /= d; inrate /= d;
outrate /= d; outrate /= d;
alloc_size = sizeof(int) * (unsigned)nchannels; if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) {
if (alloc_size < (unsigned)nchannels) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
prev_i = (int *) malloc(alloc_size); prev_i = (int *) malloc(nchannels * sizeof(int));
cur_i = (int *) malloc(alloc_size); cur_i = (int *) malloc(nchannels * sizeof(int));
if (prev_i == NULL || cur_i == NULL) { if (prev_i == NULL || cur_i == NULL) {
(void) PyErr_NoMemory(); (void) PyErr_NoMemory();
goto exit; goto exit;
@ -1300,7 +1296,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
unsigned char *cp; unsigned char *cp;
unsigned char cval; unsigned char cval;
signed char *ncp; signed char *ncp;
int len, new_len, size, val; int len, size, val;
PyObject *rv; PyObject *rv;
int i; int i;
@ -1313,18 +1309,17 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
return 0; return 0;
} }
new_len = len*size; if (len > INT_MAX/size) {
if (new_len < 0) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
rv = PyBytes_FromStringAndSize(NULL, new_len); rv = PyBytes_FromStringAndSize(NULL, len*size);
if ( rv == 0 ) if ( rv == 0 )
return 0; return 0;
ncp = (signed char *)PyBytes_AsString(rv); ncp = (signed char *)PyBytes_AsString(rv);
for ( i=0; i < new_len; i += size ) { for ( i=0; i < len*size; i += size ) {
cval = *cp++; cval = *cp++;
val = st_ulaw2linear16(cval); val = st_ulaw2linear16(cval);
@ -1374,7 +1369,7 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
unsigned char *cp; unsigned char *cp;
unsigned char cval; unsigned char cval;
signed char *ncp; signed char *ncp;
int len, new_len, size, val; int len, size, val;
PyObject *rv; PyObject *rv;
int i; int i;
@ -1387,18 +1382,17 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
return 0; return 0;
} }
new_len = len*size; if (len > INT_MAX/size) {
if (new_len < 0) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
rv = PyBytes_FromStringAndSize(NULL, new_len); rv = PyBytes_FromStringAndSize(NULL, len*size);
if ( rv == 0 ) if ( rv == 0 )
return 0; return 0;
ncp = (signed char *)PyBytes_AsString(rv); ncp = (signed char *)PyBytes_AsString(rv);
for ( i=0; i < new_len; i += size ) { for ( i=0; i < len*size; i += size ) {
cval = *cp++; cval = *cp++;
val = st_alaw2linear16(cval); val = st_alaw2linear16(cval);
@ -1523,7 +1517,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
{ {
signed char *cp; signed char *cp;
signed char *ncp; signed char *ncp;
int len, new_len, size, valpred, step, delta, index, sign, vpdiff; int len, size, valpred, step, delta, index, sign, vpdiff;
PyObject *rv, *str, *state; PyObject *rv, *str, *state;
int i, inputbuffer = 0, bufferstep; int i, inputbuffer = 0, bufferstep;
@ -1545,13 +1539,12 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
} else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) ) } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
return 0; return 0;
new_len = len*size*2; if (len > (INT_MAX/2)/size) {
if (new_len < 0) {
PyErr_SetString(PyExc_MemoryError, PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer"); "not enough memory for output buffer");
return 0; return 0;
} }
str = PyBytes_FromStringAndSize(NULL, new_len); str = PyBytes_FromStringAndSize(NULL, len*size*2);
if ( str == 0 ) if ( str == 0 )
return 0; return 0;
ncp = (signed char *)PyBytes_AsString(str); ncp = (signed char *)PyBytes_AsString(str);
@ -1559,7 +1552,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
step = stepsizeTable[index]; step = stepsizeTable[index];
bufferstep = 0; bufferstep = 0;
for ( i=0; i < new_len; i += size ) { for ( i=0; i < len*size*2; i += size ) {
/* Step 1 - get the delta value and compute next index */ /* Step 1 - get the delta value and compute next index */
if ( bufferstep ) { if ( bufferstep ) {
delta = inputbuffer & 0xf; delta = inputbuffer & 0xf;