Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

alp_readsamps() overflow leads to memory corruption in ?unused? SGI extension module almodule.c #46846

Closed
jnferguson mannequin opened this issue Apr 8, 2008 · 2 comments
Labels
extension-modules C modules in the Modules dir type-security A security issue

Comments

@jnferguson
Copy link
Mannequin

jnferguson mannequin commented Apr 8, 2008

BPO 2594
Nosy @bitdancer

Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2009-03-29.14:01:30.933>
created_at = <Date 2008-04-08.16:31:43.006>
labels = ['type-security', 'extension-modules']
title = 'alp_readsamps() overflow leads to memory corruption in ?unused? SGI extension module almodule.c'
updated_at = <Date 2009-03-29.14:01:30.931>
user = 'https://bugs.python.org/jnferguson'

bugs.python.org fields:

activity = <Date 2009-03-29.14:01:30.931>
actor = 'r.david.murray'
assignee = 'none'
closed = True
closed_date = <Date 2009-03-29.14:01:30.933>
closer = 'r.david.murray'
components = ['Extension Modules']
creation = <Date 2008-04-08.16:31:43.006>
creator = 'jnferguson'
dependencies = []
files = []
hgrepos = []
issue_num = 2594
keywords = []
message_count = 2.0
messages = ['65188', '84399']
nosy_count = 2.0
nosy_names = ['jnferguson', 'r.david.murray']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue2594'
versions = ['Python 2.5']

@jnferguson
Copy link
Mannequin Author

jnferguson mannequin commented Apr 8, 2008

You guys should probably just remove the SGI modules, the code looks
like it hasn't been touched in some time and hasn't gone through the
same security checks as other pieces of code. Sorry I have no
repro's/pocs, I don't have an irix box either though ;]

integer overflow/misallocation occurs at 1071, write to bad memory at 1076

1042 alp_readsamps(alpobject *self, PyObject *args)
1043 {
1044         long count;
1045         PyObject *v;
1046         ALconfig c;
1047         int width;
1048         int ret;
1049 
1050         if (!PyArg_ParseTuple(args, "l:readsamps", &count))
1051                 return NULL;
1052 
1053         if (count <= 0) {
1054                 PyErr_SetString(ErrorObject, "al.readsamps : arg <=
0");
1055                 return NULL;
1056         }
1057 
1058         c = ALgetconfig(self->port);
1059 #ifdef AL_405
1060         width = ALgetsampfmt(c);
1061         if (width == AL_SAMPFMT_FLOAT)
1062                 width = sizeof(float);
1063         else if (width == AL_SAMPFMT_DOUBLE)
1064                 width = sizeof(double);
1065         else
1066                 width = ALgetwidth(c);
1067 #else
1068         width = ALgetwidth(c);
1069 #endif /* AL_405 */
1070         ALfreeconfig(c);
1071         v = PyString_FromStringAndSize((char *)NULL, width * count);
1072         if (v == NULL)
1073                 return NULL;
1074 
1075         Py_BEGIN_ALLOW_THREADS
1076         ret = ALreadsamps(self->port, (void *)
PyString_AsString(v), count);
1077         Py_END_ALLOW_THREADS
1078         if (ret == -1) {
1079                 Py_DECREF(v);
1080                 return NULL;
1081         }
1082 
1083         return (v);
1084 }

@jnferguson jnferguson mannequin added extension-modules C modules in the Modules dir type-security A security issue labels Apr 8, 2008
@bitdancer
Copy link
Member

closed per comments in bpo-2591.

@ezio-melotti ezio-melotti transferred this issue from another repository Apr 10, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
extension-modules C modules in the Modules dir type-security A security issue
Projects
None yet
Development

No branches or pull requests

1 participant