summaryrefslogtreecommitdiffstats
path: root/Modules/audioop.c
diff options
context:
space:
mode:
authorTim Peters <tim.peters@gmail.com>2001-12-05 06:05:07 (GMT)
committerTim Peters <tim.peters@gmail.com>2001-12-05 06:05:07 (GMT)
commit1691bd9f1ef89acd02dc86e88b81eb53fd0e3c02 (patch)
tree368148a324a54ef7b9ba73128149dec522844c7d /Modules/audioop.c
parentc2f496a138a4838375b449e238d963615d546de6 (diff)
downloadcpython-1691bd9f1ef89acd02dc86e88b81eb53fd0e3c02.zip
cpython-1691bd9f1ef89acd02dc86e88b81eb53fd0e3c02.tar.gz
cpython-1691bd9f1ef89acd02dc86e88b81eb53fd0e3c02.tar.bz2
SF bug 482574: audioop.ratecv crashes.
Bugfix candidate. A numerically naive computation of output buffer size caused crashes and spurious MemoryErrors for reasonable arguments. audioop_ratecv(): Avoid spurious overflow by careful reworking of the buffer size computations, triggering MemoryError if and only if the final buffer size can't be represented in a C int (although PyString_FromStringAndSize may legitimately raise MemoryError even if it does fit in a C int). All reasonable arguments should work as intended now, and all unreasonable arguments should be cuaght.
Diffstat (limited to 'Modules/audioop.c')
-rw-r--r--Modules/audioop.c68
1 files changed, 62 insertions, 6 deletions
diff --git a/Modules/audioop.c b/Modules/audioop.c
index d12642a..014631c 100644
--- a/Modules/audioop.c
+++ b/Modules/audioop.c
@@ -2,6 +2,7 @@
/* audioopmodule - Module to detect peak values in arrays */
#include "Python.h"
+#include <math.h>
#if SIZEOF_INT == 4
typedef int Py_Int32;
@@ -902,6 +903,7 @@ audioop_ratecv(PyObject *self, PyObject *args)
int len, size, nchannels, inrate, outrate, weightA, weightB;
int chan, d, *prev_i, *cur_i, cur_o;
PyObject *state, *samps, *str, *rv = NULL;
+ int size_times_nchannels;
weightA = 1;
weightB = 0;
@@ -936,17 +938,28 @@ audioop_ratecv(PyObject *self, PyObject *args)
prev_i = (int *) malloc(nchannels * sizeof(int));
cur_i = (int *) malloc(nchannels * sizeof(int));
- len /= size * nchannels; /* # of frames */
if (prev_i == NULL || cur_i == NULL) {
(void) PyErr_NoMemory();
goto exit;
}
+ size_times_nchannels = size * nchannels;
+ if (size_times_nchannels / nchannels != size) {
+ /* This overflow test is rigorously correct because
+ both multiplicands are >= 1. Use the argument names
+ from the docs for the error msg. */
+ PyErr_SetString(PyExc_OverflowError,
+ "width * nchannels too big for a C int");
+ goto exit;
+ }
+ len /= size_times_nchannels; /* # of frames */
+
if (state == Py_None) {
d = -outrate;
for (chan = 0; chan < nchannels; chan++)
prev_i[chan] = cur_i[chan] = 0;
- } else {
+ }
+ else {
if (!PyArg_ParseTuple(state,
"iO!;audioop.ratecv: illegal state argument",
&d, &PyTuple_Type, &samps))
@@ -962,10 +975,53 @@ audioop_ratecv(PyObject *self, PyObject *args)
goto exit;
}
}
- str = PyString_FromStringAndSize(
- NULL, size * nchannels * (len * outrate + inrate - 1) / inrate);
- if (str == NULL)
- goto exit;
+
+ /* str <- Space for the output buffer. */
+ {
+ /* There are len input frames, so we need (mathematically)
+ ceiling(len*outrate/inrate) output frames, and each frame
+ requires size_times_nchannels bytes. Computing this
+ without spurious overflow is the challenge. */
+ int ceiling; /* the number of output frames, eventually */
+ int nbytes; /* the number of output bytes needed */
+ int q = len / inrate;
+ int r = len - q * inrate;
+ /* Now len = q * inrate + r exactly, so
+ len*outrate/inrate =
+ (q*inrate+r)*outrate/inrate =
+ (q*inrate*outrate + r*outrate)/inrate =
+ q*outrate + r*outrate/inrate exactly.
+ q*outrate is an exact integer, so the ceiling we're after is
+ q*outrate + ceiling(r*outrate/inrate). */
+ ceiling = q * outrate;
+ if (ceiling / outrate != q) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ goto exit;
+ }
+ /* Since r = len % inrate, in particular r < inrate. So
+ r * outrate / inrate = (r / inrate) * outrate < outrate,
+ so ceiling(r * outrate / inrate) <= outrate: the final
+ result fits in an int -- it can't overflow. */
+ assert(r < inrate);
+ q = (int)ceil((double)r * (double)outrate / (double)inrate);
+ assert(q <= outrate);
+ ceiling += q;
+ if (ceiling < 0) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ goto exit;
+ }
+ nbytes = ceiling * size_times_nchannels;
+ if (nbytes / size_times_nchannels != ceiling) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ goto exit;
+ }
+ str = PyString_FromStringAndSize(NULL, nbytes);
+ if (str == NULL)
+ goto exit;
+ }
ncp = PyString_AsString(str);
for (;;) {