[New-bugs-announce] [issue7673] audioop: check that length is a multiple of the size
STINNER Victor
report at bugs.python.org
Mon Jan 11 02:05:57 CET 2010
New submission from STINNER Victor <victor.stinner at haypocalc.com>:
Most functions of audioop takes as input a byte string (audio data) and a size argument (number of bytes of a sample). Functions don't check that the byte string length is a multiple of the size. It leads to read and write from/to uninitialised memory and might crash.
Example on writing into uninitilized memory:
$ python -c "import audioop; audioop.reverse('X', 2)"
Fatal Python error: Inconsistent interned string state.
Abandon
It allocates a string of 1 byte and write 2 bytes into this string => memory corruption.
Attached patch creates audioop_check_size() and audioop_check_parameters() functions.
----------
components: Extension Modules
files: audioop_check_length.patch
keywords: patch
messages: 97566
nosy: haypo
severity: normal
status: open
title: audioop: check that length is a multiple of the size
type: crash
versions: Python 2.7, Python 3.2
Added file: http://bugs.python.org/file15823/audioop_check_length.patch
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue7673>
_______________________________________
More information about the New-bugs-announce
mailing list