Author thoger
Recipients mark.dickinson, thoger
Date 2010-05-10.15:21:33
SpamBayes Score 6.83364e-07
Marked as misclassified No
Message-id <1273504895.42.0.775977214562.issue8674@psf.upfronthosting.co.za>
In-reply-to
Content
> Do you have any Python examples that failed to trigger the overflow
> on your platform?

No, I've not really tried to create some, as I found it while looking into similar checks added to rgbimg module (which is dead and removed upstream now) in the same commit r64114.

Having another close look, I can reproduce crash with lin2lin:
  audioop.lin2lin("A"*0x40000001, 1, 4)

ratecv may cause issues too.  Other cases use for loop with multiplication product as an upper bound, so the integer overflow should be harmless in those case.

> is there something about the formats that audioop is dealing
> with that limits sizes to INT_MAX (rather than PY_SSIZE_T_MAX,
> for example)?

I've started looking into this on oldish python 2.4, where PyString_FromStringAndSize accepts int size, rather than Py_ssize_t.  Rest of the audioop code was using ints too.  It's possible it is ok to more to size_t in current python version.
History
Date User Action Args
2010-05-10 15:21:35thogersetrecipients: + thoger, mark.dickinson
2010-05-10 15:21:35thogersetmessageid: <1273504895.42.0.775977214562.issue8674@psf.upfronthosting.co.za>
2010-05-10 15:21:33thogerlinkissue8674 messages
2010-05-10 15:21:33thogercreate