traverseda
/
cpython
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm() 

functions of the audioop module.
This commit is contained in:
Serhiy Storchaka 2015-06-28 17:55:33 +03:00
parent eab7704044 449e2be12b
commit b9b9e7b46a
3 changed files with 40 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Lib/test/test_audioop.py
View File

@ -273,6 +273,16 @@ class TestAudioop(unittest.TestCase):
# state must be a tuple or None, not an integer
self.assertRaises(TypeError, audioop.adpcm2lin, b'\0', 1, 555)
self.assertRaises(TypeError, audioop.lin2adpcm, b'\0', 1, 555)
# Issues #24456, #24457: index out of range
self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0, -1))
self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0, 89))
self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0, -1))
self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0, 89))
# value out of range
self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (-0x8001, 0))
self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0x8000, 0))
self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (-0x8001, 0))
self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0x8000, 0))
def test_lin2alaw(self):
self.assertEqual(audioop.lin2alaw(datas[1], 1),

3
Misc/NEWS
View File

@ -25,6 +25,9 @@ Core and Builtins
Library
-------
- Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
functions of the audioop module.
- Issue #24336: The contextmanager decorator now works with functions with
keyword arguments called "func" and "self". Patch by Martin Panter.

41
Modules/audioop.c
View File

@ -1627,22 +1627,29 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width,
if (!audioop_check_parameters(fragment->len, width))
return NULL;
str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
if (str == NULL)
return NULL;
ncp = (signed char *)PyBytes_AsString(str);
/* Decode state, should have (value, step) */
if ( state == Py_None ) {
/* First time, it seems. Set defaults */
valpred = 0;
index = 0;
} else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
goto exit;
} else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
goto exit;
}
else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
return NULL;
}
else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
return NULL;
}
else if (valpred >= 0x8000 || valpred < -0x8000 ||
(size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
PyErr_SetString(PyExc_ValueError, "bad state");
return NULL;
}
str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
if (str == NULL)
return NULL;
ncp = (signed char *)PyBytes_AsString(str);
step = stepsizeTable[index];
bufferstep = 1;
@ -1718,8 +1725,6 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width,
bufferstep = !bufferstep;
}
rv = Py_BuildValue("(O(ii))", str, valpred, index);
exit:
Py_DECREF(str);
return rv;
}
@ -1755,11 +1760,19 @@ audioop_adpcm2lin_impl(PyModuleDef *module, Py_buffer *fragment, int width,
/* First time, it seems. Set defaults */
valpred = 0;
index = 0;
} else if (!PyTuple_Check(state)) {
}
else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
return NULL;
} else if (!PyArg_ParseTuple(state, "ii", &valpred, &index))
}
else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
return NULL;
}
else if (valpred >= 0x8000 || valpred < -0x8000 ||
(size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
PyErr_SetString(PyExc_ValueError, "bad state");
return NULL;
}
if (fragment->len > (PY_SSIZE_T_MAX/2)/width) {
PyErr_SetString(PyExc_MemoryError,