Message105434
SVN commit r64114 added integer overflow checks to multiple modules. Checks added to audioop module are incorrect and can still be bypassed:
http://svn.python.org/view/python/trunk/Modules/audioop.c?r1=64114&r2=64113
- audioop_tostereo - should be fine, but relies on undefined behaviour
- audioop_lin2lin - undetected overflow: size=1, size2=4, len=0x40000001
- audioop_ratecv - undetected overflow: nchannels=0x5fffffff (32bit)
- audioop_ulaw2lin - undetected overflow: size=4, len=0x40000001
- audioop_alaw2lin - same as audioop_ulaw2lin
- audioop_adpcm2lin - undetected overflow: size=4, len=0x20000001
Most of these are triggered by large fragment as an input.
Attached patch replaces checks added in r64114 by checks using INT_MAX. |
|
Date |
User |
Action |
Args |
2010-05-10 13:43:29 | thoger | set | recipients:
+ thoger |
2010-05-10 13:43:29 | thoger | set | messageid: <1273499009.24.0.283270137147.issue8674@psf.upfronthosting.co.za> |
2010-05-10 13:43:26 | thoger | link | issue8674 messages |
2010-05-10 13:43:24 | thoger | create | |
|