From ddc63ebe9b52c0ab4ba033301e70fac89f610704 Mon Sep 17 00:00:00 2001
From: Victor Stinner <victor.stinner@haypocalc.com>
Date: Sun, 10 Jan 2010 21:10:01 +0100
Subject: [PATCH] audioop: check that length is a multiple the size

Most functions of audioop takes as input a byte string (audio data) and a size
argument (number of bytes of a sample). Functions don't check that the byte
string length is a multiple of the size. It leads to read and write from/to
uninitialised memory and might crash.

Example on writing into uninitilized memory:

    $ python -c "import audioop; audioop.reverse('X', 2)"
    Fatal Python error: Inconsistent interned string state.
    Abandon

It allocates a string of 1 byte and write 2 bytes into this string => memory
corruption.

Attached patch creates audioop_check_size() and audioop_check_parameters()
functions.
---
 Modules/audioop.c |  153 ++++++++++++++++++++++++----------------------------
 1 files changed, 71 insertions(+), 82 deletions(-)

diff --git a/Modules/audioop.c b/Modules/audioop.c
index 42daf9b..ebb992a 100644
--- a/Modules/audioop.c
+++ b/Modules/audioop.c
@@ -295,6 +295,29 @@ static int stepsizeTable[89] = {
 
 static PyObject *AudioopError;
 
+static int
+audioop_check_size(int size)
+{
+        if ( size != 1 && size != 2 && size != 4 ) {
+                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+                return 0;
+        } else {
+                return 1;
+        }
+}
+
+static int
+audioop_check_parameters(int len, int size)
+{
+        if (!audioop_check_size(size))
+                return 0;
+        if ( len % size != 0 ) {
+                PyErr_SetString(AudioopError, "not a whole number of frames");
+                return 0;
+        }
+        return 1;
+}
+
 static PyObject *
 audioop_getsample(PyObject *self, PyObject *args)
 {
@@ -304,10 +327,8 @@ audioop_getsample(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#ii:getsample", &cp, &len, &size, &i) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         if ( i < 0 || i >= len/size ) {
                 PyErr_SetString(AudioopError, "Index out of range");
                 return 0;
@@ -328,10 +349,8 @@ audioop_max(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:max", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         for ( i=0; i<len; i+= size) {
                 if ( size == 1 )      val = (int)*CHARP(cp, i);
                 else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -352,10 +371,8 @@ audioop_minmax(PyObject *self, PyObject *args)
 
         if (!PyArg_ParseTuple(args, "s#i:minmax", &cp, &len, &size))
                 return NULL;
-        if (size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+        if (!audioop_check_parameters(len, size))
                 return NULL;
-        }
         for (i = 0; i < len; i += size) {
                 if (size == 1) val = (int) *CHARP(cp, i);
                 else if (size == 2) val = (int) *SHORTP(cp, i);
@@ -376,10 +393,8 @@ audioop_avg(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:avg", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         for ( i=0; i<len; i+= size) {
                 if ( size == 1 )      val = (int)*CHARP(cp, i);
                 else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -403,10 +418,8 @@ audioop_rms(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:rms", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         for ( i=0; i<len; i+= size) {
                 if ( size == 1 )      val = (int)*CHARP(cp, i);
                 else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -614,10 +627,8 @@ audioop_avgpp(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:avgpp", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         /* Compute first delta value ahead. Also automatically makes us
         ** skip the first extreme value
         */
@@ -671,10 +682,8 @@ audioop_maxpp(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:maxpp", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         /* Compute first delta value ahead. Also automatically makes us
         ** skip the first extreme value
         */
@@ -722,10 +731,8 @@ audioop_cross(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#i:cross", &cp, &len, &size) )
                 return 0;
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
         ncross = -1;
         prevval = 17; /* Anything <> 0,1 */
         for ( i=0; i<len; i+= size) {
@@ -750,6 +757,8 @@ audioop_mul(PyObject *self, PyObject *args)
 
         if ( !PyArg_ParseTuple(args, "s#id:mul", &cp, &len, &size, &factor ) )
                 return 0;
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         if ( size == 1 ) maxval = (double) 0x7f;
         else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -792,6 +801,12 @@ audioop_tomono(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#idd:tomono",
 	                       &cp, &len, &size, &fac1, &fac2 ) )
                 return 0;
+        if (!audioop_check_parameters(len, size))
+                return NULL;
+        if ( ((len / size) & 1) != 0 ) {
+                PyErr_SetString(AudioopError, "not a whole number of frames");
+                return NULL;
+        }
     
         if ( size == 1 ) maxval = (double) 0x7f;
         else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -837,6 +852,8 @@ audioop_tostereo(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#idd:tostereo",
 	                       &cp, &len, &size, &fac1, &fac2 ) )
                 return 0;
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         if ( size == 1 ) maxval = (double) 0x7f;
         else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -896,7 +913,8 @@ audioop_add(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#s#i:add",
                           &cp1, &len1, &cp2, &len2, &size ) )
                 return 0;
-
+        if (!audioop_check_parameters(len1, size))
+                return NULL;
         if ( len1 != len2 ) {
                 PyErr_SetString(AudioopError, "Lengths should be the same");
                 return 0;
@@ -950,11 +968,8 @@ audioop_bias(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#ii:bias",
                           &cp, &len, &size , &bias) )
                 return 0;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         rv = PyString_FromStringAndSize(NULL, len);
         if ( rv == 0 )
@@ -986,12 +1001,9 @@ audioop_reverse(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#i:reverse",
                           &cp, &len, &size) )
                 return 0;
+        if (!audioop_check_parameters(len, size))
+                return NULL;
 
-        if ( size != 1 && size != 2 && size != 4 ) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
-    
         rv = PyString_FromStringAndSize(NULL, len);
         if ( rv == 0 )
                 return 0;
@@ -1023,12 +1035,10 @@ audioop_lin2lin(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#ii:lin2lin",
                           &cp, &len, &size, &size2) )
                 return 0;
-
-        if ( (size != 1 && size != 2 && size != 4) ||
-             (size2 != 1 && size2 != 2 && size2 != 4)) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
+        if (!audioop_check_size(size2))
+                return NULL;
     
         new_len = (len/size)*size2;
         if (new_len < 0) {
@@ -1080,10 +1090,8 @@ audioop_ratecv(PyObject *self, PyObject *args)
 	                      &nchannels, &inrate, &outrate, &state,
 			      &weightA, &weightB))
                 return NULL;
-        if (size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+        if (!audioop_check_size(size))
                 return NULL;
-        }
         if (nchannels < 1) {
                 PyErr_SetString(AudioopError, "# of channels should be >= 1");
                 return NULL;
@@ -1269,11 +1277,8 @@ audioop_lin2ulaw(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#i:lin2ulaw",
                                &cp, &len, &size) )
                 return 0 ;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         rv = PyString_FromStringAndSize(NULL, len/size);
         if ( rv == 0 )
@@ -1303,11 +1308,8 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#i:ulaw2lin",
                                &cp, &len, &size) )
                 return 0;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_size(size))
+                return NULL;
     
         new_len = len*size;
         if (new_len < 0) {
@@ -1343,11 +1345,8 @@ audioop_lin2alaw(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#i:lin2alaw",
                                &cp, &len, &size) )
                 return 0;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         rv = PyString_FromStringAndSize(NULL, len/size);
         if ( rv == 0 )
@@ -1377,11 +1376,8 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#i:alaw2lin",
                                &cp, &len, &size) )
                 return 0;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_size(size))
+                return NULL;
     
         new_len = len*size;
         if (new_len < 0) {
@@ -1418,12 +1414,8 @@ audioop_lin2adpcm(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#iO:lin2adpcm",
                                &cp, &len, &size, &state) )
                 return 0;
-    
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_parameters(len, size))
+                return NULL;
     
         str = PyString_FromStringAndSize(NULL, len/(size*2));
         if ( str == 0 )
@@ -1526,11 +1518,8 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
         if ( !PyArg_ParseTuple(args, "s#iO:adpcm2lin",
                                &cp, &len, &size, &state) )
                 return 0;
-
-        if ( size != 1 && size != 2 && size != 4) {
-                PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
-                return 0;
-        }
+        if (!audioop_check_size(size))
+                return NULL;
     
         /* Decode state, should have (value, step) */
         if ( state == Py_None ) {
-- 
1.6.0.4