This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author thoger
Recipients thoger
Date 2010-05-10.13:43:22
SpamBayes Score 0.005485505
Marked as misclassified No
Message-id <1273499009.24.0.283270137147.issue8674@psf.upfronthosting.co.za>
In-reply-to
Content
SVN commit r64114 added integer overflow checks to multiple modules.  Checks added to audioop module are incorrect and can still be bypassed:

http://svn.python.org/view/python/trunk/Modules/audioop.c?r1=64114&r2=64113

- audioop_tostereo - should be fine, but relies on undefined behaviour
- audioop_lin2lin - undetected overflow: size=1, size2=4, len=0x40000001
- audioop_ratecv - undetected overflow: nchannels=0x5fffffff (32bit)
- audioop_ulaw2lin - undetected overflow: size=4, len=0x40000001
- audioop_alaw2lin - same as audioop_ulaw2lin
- audioop_adpcm2lin - undetected overflow: size=4, len=0x20000001

Most of these are triggered by large fragment as an input.

Attached patch replaces checks added in r64114 by checks using INT_MAX.
History
Date User Action Args
2010-05-10 13:43:29thogersetrecipients: + thoger
2010-05-10 13:43:29thogersetmessageid: <1273499009.24.0.283270137147.issue8674@psf.upfronthosting.co.za>
2010-05-10 13:43:26thogerlinkissue8674 messages
2010-05-10 13:43:24thogercreate