diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-28 14:52:09 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-28 14:52:09 (GMT) |
commit | 449e2be12b654a9b892648ff5496c6d7dfbb85f9 (patch) | |
tree | 966f4a742492ccf2af0aa194137a3621a0bac237 /Modules | |
parent | 101ff3541cbe5bd9549722dc53c28d6c21b9389c (diff) | |
download | cpython-449e2be12b654a9b892648ff5496c6d7dfbb85f9.zip cpython-449e2be12b654a9b892648ff5496c6d7dfbb85f9.tar.gz cpython-449e2be12b654a9b892648ff5496c6d7dfbb85f9.tar.bz2 |
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
functions of the audioop module.
Diffstat (limited to 'Modules')
-rw-r--r-- | Modules/audioop.c | 39 |
1 files changed, 26 insertions, 13 deletions
diff --git a/Modules/audioop.c b/Modules/audioop.c index 0358147..5efed0c 100644 --- a/Modules/audioop.c +++ b/Modules/audioop.c @@ -1615,23 +1615,30 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width, PyOb if (!audioop_check_parameters(fragment->len, width)) return NULL; - str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2)); - if (str == NULL) - return NULL; - ncp = (signed char *)PyBytes_AsString(str); - /* Decode state, should have (value, step) */ if ( state == Py_None ) { /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if (!PyTuple_Check(state)) { + } + else if (!PyTuple_Check(state)) { PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); - goto exit; - } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { - goto exit; + return NULL; + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { + return NULL; + } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) { + PyErr_SetString(PyExc_ValueError, "bad state"); + return NULL; } + str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2)); + if (str == NULL) + return NULL; + ncp = (signed char *)PyBytes_AsString(str); + step = stepsizeTable[index]; bufferstep = 1; @@ -1706,8 +1713,6 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width, PyOb bufferstep = !bufferstep; } rv = Py_BuildValue("(O(ii))", str, valpred, index); - - exit: Py_DECREF(str); return rv; } @@ -1742,11 +1747,19 @@ audioop_adpcm2lin_impl(PyModuleDef *module, Py_buffer *fragment, int width, PyOb /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if (!PyTuple_Check(state)) { + } + else if (!PyTuple_Check(state)) { PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); return NULL; - } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { + return NULL; + } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) { + PyErr_SetString(PyExc_ValueError, "bad state"); return NULL; + } if (fragment->len > (PY_SSIZE_T_MAX/2)/width) { PyErr_SetString(PyExc_MemoryError, |