summaryrefslogtreecommitdiffstats
path: root/Modules
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2015-06-28 14:56:28 (GMT)
committerSerhiy Storchaka <storchaka@gmail.com>2015-06-28 14:56:28 (GMT)
commit1e8d91adfe946807bcd2fd4f40327542eccebe21 (patch)
tree241ebd00d081aca6ad2a84a3a1dfac562c996505 /Modules
parent9aad9f27407861d674570bf5c0bd957bbe13663b (diff)
parentb9b9e7b46a880e7a628a698fd47173b7f7d68870 (diff)
downloadcpython-1e8d91adfe946807bcd2fd4f40327542eccebe21.zip
cpython-1e8d91adfe946807bcd2fd4f40327542eccebe21.tar.gz
cpython-1e8d91adfe946807bcd2fd4f40327542eccebe21.tar.bz2
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
functions of the audioop module.
Diffstat (limited to 'Modules')
-rw-r--r--Modules/audioop.c39
1 files changed, 26 insertions, 13 deletions
diff --git a/Modules/audioop.c b/Modules/audioop.c
index 27220b2..bbc458f 100644
--- a/Modules/audioop.c
+++ b/Modules/audioop.c
@@ -1627,23 +1627,30 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width,
if (!audioop_check_parameters(fragment->len, width))
return NULL;
- str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
- if (str == NULL)
- return NULL;
- ncp = (signed char *)PyBytes_AsString(str);
-
/* Decode state, should have (value, step) */
if ( state == Py_None ) {
/* First time, it seems. Set defaults */
valpred = 0;
index = 0;
- } else if (!PyTuple_Check(state)) {
+ }
+ else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
- goto exit;
- } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
- goto exit;
+ return NULL;
+ }
+ else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
+ return NULL;
+ }
+ else if (valpred >= 0x8000 || valpred < -0x8000 ||
+ (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
+ PyErr_SetString(PyExc_ValueError, "bad state");
+ return NULL;
}
+ str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
+ if (str == NULL)
+ return NULL;
+ ncp = (signed char *)PyBytes_AsString(str);
+
step = stepsizeTable[index];
bufferstep = 1;
@@ -1718,8 +1725,6 @@ audioop_lin2adpcm_impl(PyModuleDef *module, Py_buffer *fragment, int width,
bufferstep = !bufferstep;
}
rv = Py_BuildValue("(O(ii))", str, valpred, index);
-
- exit:
Py_DECREF(str);
return rv;
}
@@ -1755,11 +1760,19 @@ audioop_adpcm2lin_impl(PyModuleDef *module, Py_buffer *fragment, int width,
/* First time, it seems. Set defaults */
valpred = 0;
index = 0;
- } else if (!PyTuple_Check(state)) {
+ }
+ else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
return NULL;
- } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index))
+ }
+ else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
+ return NULL;
+ }
+ else if (valpred >= 0x8000 || valpred < -0x8000 ||
+ (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
+ PyErr_SetString(PyExc_ValueError, "bad state");
return NULL;
+ }
if (fragment->len > (PY_SSIZE_T_MAX/2)/width) {
PyErr_SetString(PyExc_MemoryError,