diff options
author | Mark Dickinson <dickinsm@gmail.com> | 2010-05-10 16:27:45 (GMT) |
---|---|---|
committer | Mark Dickinson <dickinsm@gmail.com> | 2010-05-10 16:27:45 (GMT) |
commit | 85eacea31e508666db1ce29827308e98fba1bc21 (patch) | |
tree | bd128e4a558014fdfc247752ac465fcc07869222 | |
parent | 8fc1178cf81e155f1e50151b5820c24e23d43e37 (diff) | |
download | cpython-85eacea31e508666db1ce29827308e98fba1bc21.zip cpython-85eacea31e508666db1ce29827308e98fba1bc21.tar.gz cpython-85eacea31e508666db1ce29827308e98fba1bc21.tar.bz2 |
Merged revisions 81045 via svnmerge from
svn+ssh://pythondev@svn.python.org/python/trunk
........
r81045 | mark.dickinson | 2010-05-10 17:07:42 +0100 (Mon, 10 May 2010) | 3 lines
Issue #8674: Fix incorrect and UB-inducing overflow checks in audioop
module. Thanks Tomas Hoger for the patch.
........
-rw-r--r-- | Misc/ACKS | 1 | ||||
-rw-r--r-- | Misc/NEWS | 3 | ||||
-rw-r--r-- | Modules/audioop.c | 49 |
3 files changed, 25 insertions, 28 deletions
@@ -340,6 +340,7 @@ Joerg-Cyril Hoehle Gregor Hoffleit Chris Hoffman Albert Hofkamp +Tomas Hoger Jonathan Hogg Gerrit Holl Shane Holloway @@ -1114,6 +1114,9 @@ Library Extension Modules ----------------- +- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing + overflow checks in the audioop module. + - Issue #8644: The accuracy of td.total_seconds() has been improved (by calculating with integer arithmetic instead of float arithmetic internally): the result is now always correctly rounded, and is equivalent to td / diff --git a/Modules/audioop.c b/Modules/audioop.c index 3985ca6..6ca7d72 100644 --- a/Modules/audioop.c +++ b/Modules/audioop.c @@ -834,7 +834,7 @@ static PyObject * audioop_tostereo(PyObject *self, PyObject *args) { signed char *cp, *ncp; - int len, new_len, size, val1, val2, val = 0; + int len, size, val1, val2, val = 0; double fac1, fac2, fval, maxval; PyObject *rv; int i; @@ -851,14 +851,13 @@ audioop_tostereo(PyObject *self, PyObject *args) return 0; } - new_len = len*2; - if (new_len < 0) { + if (len > INT_MAX/2) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyBytes_FromStringAndSize(NULL, new_len); + rv = PyBytes_FromStringAndSize(NULL, len*2); if ( rv == 0 ) return 0; ncp = (signed char *)PyBytes_AsString(rv); @@ -1021,7 +1020,7 @@ audioop_lin2lin(PyObject *self, PyObject *args) { signed char *cp; unsigned char *ncp; - int len, new_len, size, size2, val = 0; + int len, size, size2, val = 0; PyObject *rv; int i, j; @@ -1035,13 +1034,12 @@ audioop_lin2lin(PyObject *self, PyObject *args) return 0; } - new_len = (len/size)*size2; - if (new_len < 0) { + if (len/size > INT_MAX/size2) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyBytes_FromStringAndSize(NULL, new_len); + rv = PyBytes_FromStringAndSize(NULL, (len/size)*size2); if ( rv == 0 ) return 0; ncp = (unsigned char *)PyBytes_AsString(rv); @@ -1077,7 +1075,6 @@ audioop_ratecv(PyObject *self, PyObject *args) int chan, d, *prev_i, *cur_i, cur_o; PyObject *state, *samps, *str, *rv = NULL; int bytes_per_frame; - size_t alloc_size; weightA = 1; weightB = 0; @@ -1120,14 +1117,13 @@ audioop_ratecv(PyObject *self, PyObject *args) inrate /= d; outrate /= d; - alloc_size = sizeof(int) * (unsigned)nchannels; - if (alloc_size < (unsigned)nchannels) { + if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - prev_i = (int *) malloc(alloc_size); - cur_i = (int *) malloc(alloc_size); + prev_i = (int *) malloc(nchannels * sizeof(int)); + cur_i = (int *) malloc(nchannels * sizeof(int)); if (prev_i == NULL || cur_i == NULL) { (void) PyErr_NoMemory(); goto exit; @@ -1300,7 +1296,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) unsigned char *cp; unsigned char cval; signed char *ncp; - int len, new_len, size, val; + int len, size, val; PyObject *rv; int i; @@ -1313,18 +1309,17 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) return 0; } - new_len = len*size; - if (new_len < 0) { + if (len > INT_MAX/size) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyBytes_FromStringAndSize(NULL, new_len); + rv = PyBytes_FromStringAndSize(NULL, len*size); if ( rv == 0 ) return 0; ncp = (signed char *)PyBytes_AsString(rv); - for ( i=0; i < new_len; i += size ) { + for ( i=0; i < len*size; i += size ) { cval = *cp++; val = st_ulaw2linear16(cval); @@ -1374,7 +1369,7 @@ audioop_alaw2lin(PyObject *self, PyObject *args) unsigned char *cp; unsigned char cval; signed char *ncp; - int len, new_len, size, val; + int len, size, val; PyObject *rv; int i; @@ -1387,18 +1382,17 @@ audioop_alaw2lin(PyObject *self, PyObject *args) return 0; } - new_len = len*size; - if (new_len < 0) { + if (len > INT_MAX/size) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyBytes_FromStringAndSize(NULL, new_len); + rv = PyBytes_FromStringAndSize(NULL, len*size); if ( rv == 0 ) return 0; ncp = (signed char *)PyBytes_AsString(rv); - for ( i=0; i < new_len; i += size ) { + for ( i=0; i < len*size; i += size ) { cval = *cp++; val = st_alaw2linear16(cval); @@ -1523,7 +1517,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) { signed char *cp; signed char *ncp; - int len, new_len, size, valpred, step, delta, index, sign, vpdiff; + int len, size, valpred, step, delta, index, sign, vpdiff; PyObject *rv, *str, *state; int i, inputbuffer = 0, bufferstep; @@ -1545,13 +1539,12 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) ) return 0; - new_len = len*size*2; - if (new_len < 0) { + if (len > (INT_MAX/2)/size) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - str = PyBytes_FromStringAndSize(NULL, new_len); + str = PyBytes_FromStringAndSize(NULL, len*size*2); if ( str == 0 ) return 0; ncp = (signed char *)PyBytes_AsString(str); @@ -1559,7 +1552,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) step = stepsizeTable[index]; bufferstep = 0; - for ( i=0; i < new_len; i += size ) { + for ( i=0; i < len*size*2; i += size ) { /* Step 1 - get the delta value and compute next index */ if ( bufferstep ) { delta = inputbuffer & 0xf; |