This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: alp_ReadFrames() integer overflow leads to buffer overflow
Type: security Stage: resolved
Components: Extension Modules Versions: Python 2.5
process
Status: closed Resolution: wont fix
Dependencies: Superseder:
Assigned To: Nosy List: jnferguson, r.david.murray
Priority: normal Keywords:

Created on 2008-04-08 16:18 by jnferguson, last changed 2022-04-11 14:56 by admin. This issue is now closed.

Messages (2)
msg65183 - (view) Author: Justin Ferguson (jnferguson) Date: 2008-04-08 16:18 
Please see bug 2591 for a suggestion on what to do with these SGI modules.
(sorry I don't have any pocs/repros I dont have an sgi box handy atm)

Integer overflow/invalid allocation at 768, write to memory at 773

 716 static PyObject *
 717 alp_ReadFrames(alpobject *self, PyObject *args)
 718 {
 719         int framecount;
 720         PyObject *v;
 721         int size;
 722         int ch;
 723         ALconfig c;
 724 
 725         if (!PyArg_ParseTuple(args, "i:ReadFrames", &framecount))
 726                 return NULL;
 727         if (framecount < 0) {
 728                 PyErr_SetString(ErrorObject, "negative framecount");
 729                 return NULL;
 730         }
[...] 732         switch (alGetSampFmt(c)) {
 733         case AL_SAMPFMT_TWOSCOMP:
 734                 switch (alGetWidth(c)) {
 735                 case AL_SAMPLE_8:
 736                         size = 1;
 737                         break;
 738                 case AL_SAMPLE_16:
 739                         size = 2;
 740                         break;
 741                 case AL_SAMPLE_24:
 742                         size = 4;
 743                         break;
 744                 default:
 745                         PyErr_SetString(ErrorObject, "can't
determine width");
 746                         alFreeConfig(c);
 747                         return NULL;
 748                 }
 749                 break;
 750         case AL_SAMPFMT_FLOAT:
 751                 size = 4;
 752                 break;
 753         case AL_SAMPFMT_DOUBLE:
 754                 size = 8;
 755                 break;
 756         default:
 757                 PyErr_SetString(ErrorObject, "can't determine format");
 758                 alFreeConfig(c);
 759                 return NULL;
 760         }
 761         ch = alGetChannels(c);
 762         alFreeConfig(c);
 763         if (ch < 0) {
 764                 PyErr_SetString(ErrorObject, "can't determine # of
channels");
 765                 return NULL;
 766         }
 767         size *= ch;
 768         v = PyString_FromStringAndSize((char *) NULL, size *
framecount);
 769         if (v == NULL)
 770                 return NULL;
 771 
[...] 
 773         alReadFrames(self->port, (void *) PyString_AS_STRING(v),
framecount);
msg84398 - (view) Author: R. David Murray (r.david.murray) * (Python committer) Date: 2009-03-29 14:00 
Closed per comments in issue2591.
History
Date User Action Args
2022-04-11 14:56:33adminsetgithub: 46845
2009-03-29 14:00:05r.david.murraysetstatus: open -> closed

nosy: + r.david.murray
messages: + msg84398

resolution: wont fix
stage: resolved
2008-04-08 16:18:28jnfergusoncreate