[issue8674] audioop: incorrect integer overflow checks
Tomas Hoger
report at bugs.python.org
Mon May 10 15:43:29 CEST 2010
New submission from Tomas Hoger <thoger at redhat.com>:
SVN commit r64114 added integer overflow checks to multiple modules. Checks added to audioop module are incorrect and can still be bypassed:
http://svn.python.org/view/python/trunk/Modules/audioop.c?r1=64114&r2=64113
- audioop_tostereo - should be fine, but relies on undefined behaviour
- audioop_lin2lin - undetected overflow: size=1, size2=4, len=0x40000001
- audioop_ratecv - undetected overflow: nchannels=0x5fffffff (32bit)
- audioop_ulaw2lin - undetected overflow: size=4, len=0x40000001
- audioop_alaw2lin - same as audioop_ulaw2lin
- audioop_adpcm2lin - undetected overflow: size=4, len=0x20000001
Most of these are triggered by large fragment as an input.
Attached patch replaces checks added in r64114 by checks using INT_MAX.
----------
components: Extension Modules
files: python2.6-audioop-int-overflows.diff
keywords: patch
messages: 105434
nosy: thoger
priority: normal
severity: normal
status: open
title: audioop: incorrect integer overflow checks
type: security
versions: Python 2.6
Added file: http://bugs.python.org/file17281/python2.6-audioop-int-overflows.diff
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue8674>
_______________________________________
More information about the Python-bugs-list
mailing list