diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-28 14:51:40 (GMT) |
|---|---|---|
| committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-06-28 14:51:40 (GMT) |
| commit | 84af51d1b3a55ea3a0c860bb2f2ff99039d621cd (patch) | |
| tree | fd49684a73907ada70386c2539cdf8f2764ab455 /Modules | |
| parent | d1d4d8ab995b8deaf100cafe609ab55bf5cac46e (diff) | |
| download | cpython-84af51d1b3a55ea3a0c860bb2f2ff99039d621cd.zip cpython-84af51d1b3a55ea3a0c860bb2f2ff99039d621cd.tar.gz cpython-84af51d1b3a55ea3a0c860bb2f2ff99039d621cd.tar.bz2 | |
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
functions of the audioop module. Fixed SystemError when the state is not a
tuple. Fixed possible memory leak.
Diffstat (limited to 'Modules')
| -rw-r--r-- | Modules/audioop.c | 38 |
1 files changed, 30 insertions, 8 deletions
diff --git a/Modules/audioop.c b/Modules/audioop.c index 0282c7e..4d3b679 100644 --- a/Modules/audioop.c +++ b/Modules/audioop.c @@ -1420,18 +1420,29 @@ audioop_lin2adpcm(PyObject *self, PyObject *args) if (!audioop_check_parameters(len, size)) return NULL; - str = PyString_FromStringAndSize(NULL, len/(size*2)); - if ( str == 0 ) - return 0; - ncp = (signed char *)PyString_AsString(str); - /* Decode state, should have (value, step) */ if ( state == Py_None ) { /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) ) + } + else if (!PyTuple_Check(state)) { + PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); + return NULL; + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { + return NULL; + } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= sizeof(stepsizeTable)/sizeof(stepsizeTable[0])) { + PyErr_SetString(PyExc_ValueError, "bad state"); + return NULL; + } + + str = PyString_FromStringAndSize(NULL, len/(size*2)); + if ( str == 0 ) return 0; + ncp = (signed char *)PyString_AsString(str); step = stepsizeTable[index]; bufferstep = 1; @@ -1529,8 +1540,19 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) ) - return 0; + } + else if (!PyTuple_Check(state)) { + PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); + return NULL; + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { + return NULL; + } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= sizeof(stepsizeTable)/sizeof(stepsizeTable[0])) { + PyErr_SetString(PyExc_ValueError, "bad state"); + return NULL; + } if (len > (INT_MAX/2)/size) { PyErr_SetString(PyExc_MemoryError, |