Message105443
> Do you have any Python examples that failed to trigger the overflow
> on your platform?
No, I've not really tried to create some, as I found it while looking into similar checks added to rgbimg module (which is dead and removed upstream now) in the same commit r64114.
Having another close look, I can reproduce crash with lin2lin:
audioop.lin2lin("A"*0x40000001, 1, 4)
ratecv may cause issues too. Other cases use for loop with multiplication product as an upper bound, so the integer overflow should be harmless in those case.
> is there something about the formats that audioop is dealing
> with that limits sizes to INT_MAX (rather than PY_SSIZE_T_MAX,
> for example)?
I've started looking into this on oldish python 2.4, where PyString_FromStringAndSize accepts int size, rather than Py_ssize_t. Rest of the audioop code was using ints too. It's possible it is ok to more to size_t in current python version. |
|
Date |
User |
Action |
Args |
2010-05-10 15:21:35 | thoger | set | recipients:
+ thoger, mark.dickinson |
2010-05-10 15:21:35 | thoger | set | messageid: <1273504895.42.0.775977214562.issue8674@psf.upfronthosting.co.za> |
2010-05-10 15:21:33 | thoger | link | issue8674 messages |
2010-05-10 15:21:33 | thoger | create | |
|