Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(179109)

Unified Diff: Modules/audioop.c

Issue 24456: audioop.adpcm2lin Buffer Over-read
Patch Set: Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « Lib/test/test_audioop.py ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
--- a/Modules/audioop.c Thu Jun 25 23:39:53 2015 +0300
+++ b/Modules/audioop.c Fri Jun 26 15:39:30 2015 +0300
@@ -1627,11 +1627,6 @@ audioop_lin2adpcm_impl(PyModuleDef *modu
if (!audioop_check_parameters(fragment->len, width))
return NULL;
- str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
- if (str == NULL)
- return NULL;
- ncp = (signed char *)PyBytes_AsString(str);
-
/* Decode state, should have (value, step) */
if ( state == Py_None ) {
/* First time, it seems. Set defaults */
@@ -1639,11 +1634,22 @@ audioop_lin2adpcm_impl(PyModuleDef *modu
index = 0;
} else if (!PyTuple_Check(state)) {
PyErr_SetString(PyExc_TypeError, "state must be a tuple or None");
- goto exit;
+ return NULL;
} else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) {
- goto exit;
+ return NULL;
+ } else {
+ if (valpred >= 0x8000 || valpred < -0x8000 ||
+ (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
+ PyErr_SetString(PyExc_ValueError, "bad state");
+ return NULL;
+ }
}
+ str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2));
+ if (str == NULL)
+ return NULL;
+ ncp = (signed char *)PyBytes_AsString(str);
+
step = stepsizeTable[index];
bufferstep = 1;
@@ -1718,8 +1724,6 @@ audioop_lin2adpcm_impl(PyModuleDef *modu
bufferstep = !bufferstep;
}
rv = Py_BuildValue("(O(ii))", str, valpred, index);
-
- exit:
Py_DECREF(str);
return rv;
}
@@ -1760,6 +1764,13 @@ audioop_adpcm2lin_impl(PyModuleDef *modu
return NULL;
} else if (!PyArg_ParseTuple(state, "ii", &valpred, &index))
return NULL;
+ else {
+ if (valpred >= 0x8000 || valpred < -0x8000 ||
+ (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) {
+ PyErr_SetString(PyExc_ValueError, "bad state");
+ return NULL;
+ }
+ }
if (fragment->len > (PY_SSIZE_T_MAX/2)/width) {
PyErr_SetString(PyExc_MemoryError,
« no previous file with comments | « Lib/test/test_audioop.py ('k') | no next file » | no next file with comments »

RSS Feeds Recent Issues | This issue
This is Rietveld 894c83f36cb7+