current/SOURCES/0011-fixed-CVE-2010-1634-in-internal-python-Mandriva.patch

From 7b3960aa54bdf9bfb195fb48e98f5dcc38efa832 Mon Sep 17 00:00:00 2001
From: Anssi Hannula <anssi.hannula@iki.fi>
Date: Sat, 13 Nov 2010 18:22:25 +0200
Subject: [PATCH 11/15] fixed: CVE-2010-1634 in internal python (Mandriva)

---
 xbmc/lib/libPython/Python/Modules/audioop.c |   65 ++++++++++----------------
 1 files changed, 25 insertions(+), 40 deletions(-)

diff --git a/xbmc/lib/libPython/Python/Modules/audioop.c b/xbmc/lib/libPython/Python/Modules/audioop.c
index 51b6605..598e365 100644
--- a/xbmc/lib/libPython/Python/Modules/audioop.c
+++ b/xbmc/lib/libPython/Python/Modules/audioop.c
@@ -674,7 +674,7 @@ static PyObject *
 audioop_tostereo(PyObject *self, PyObject *args)
 {
        signed char *cp, *ncp;
-       int len, new_len, size, val1, val2, val = 0;
+       int len, size, val1, val2, val = 0;
        double fac1, fac2, fval, maxval;
        PyObject *rv;
        int i;
@@ -690,14 +690,13 @@ audioop_tostereo(PyObject *self, PyObject *args)
                return 0;
        }
     
-       new_len = len*2;
-       if (new_len < 0) {
+       if (len > INT_MAX/2) {
                PyErr_SetString(PyExc_MemoryError,
                                "not enough memory for output buffer");
                return 0;
        }
 
-       rv = PyString_FromStringAndSize(NULL, new_len);
+       rv = PyString_FromStringAndSize(NULL, len*2);
        if ( rv == 0 )
                return 0;
        ncp = (signed char *)PyString_AsString(rv);
@@ -860,7 +859,7 @@ audioop_lin2lin(PyObject *self, PyObject *args)
 {
        signed char *cp;
        unsigned char *ncp;
-       int len, new_len, size, size2, val = 0;
+       int len, size, size2, val = 0;
        PyObject *rv;
        int i, j;
 
@@ -874,13 +873,12 @@ audioop_lin2lin(PyObject *self, PyObject *args)
                return 0;
        }
     
-       new_len = (len/size)*size2;
-       if (new_len < 0) {
+       if (len/size > INT_MAX/size2) {
                PyErr_SetString(PyExc_MemoryError,
                                "not enough memory for output buffer");
                return 0;
        }
-       rv = PyString_FromStringAndSize(NULL, new_len);
+       rv = PyString_FromStringAndSize(NULL, (len/size)*size2);
        if ( rv == 0 )
                return 0;
        ncp = (unsigned char *)PyString_AsString(rv);
@@ -916,7 +914,6 @@ audioop_ratecv(PyObject *self, PyObject *args)
        int chan, d, *prev_i, *cur_i, cur_o;
        PyObject *state, *samps, *str, *rv = NULL;
        int bytes_per_frame;
-       size_t alloc_size;
 
        weightA = 1;
        weightB = 0;
@@ -958,14 +955,13 @@ audioop_ratecv(PyObject *self, PyObject *args)
        inrate /= d;
        outrate /= d;
 
-       alloc_size = sizeof(int) * (unsigned)nchannels;
-       if (alloc_size < nchannels) {
+       if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) {
                PyErr_SetString(PyExc_MemoryError,
                                "not enough memory for output buffer");
                return 0;
        }
-       prev_i = (int *) malloc(alloc_size);
-       cur_i = (int *) malloc(alloc_size);
+       prev_i = (int *) malloc(nchannels * sizeof(int));
+       cur_i = (int *) malloc(nchannels * sizeof(int));
        if (prev_i == NULL || cur_i == NULL) {
                (void) PyErr_NoMemory();
                goto exit;
@@ -1001,25 +997,16 @@ audioop_ratecv(PyObject *self, PyObject *args)
                   ceiling(len*outrate/inrate) output frames, and each frame
                   requires bytes_per_frame bytes.  Computing this
                   without spurious overflow is the challenge; we can
-                  settle for a reasonable upper bound, though. */
-               int ceiling;   /* the number of output frames */
-               int nbytes;    /* the number of output bytes needed */
-               int q = len / inrate;
-               /* Now len = q * inrate + r exactly (with r = len % inrate),
-                  and this is less than q * inrate + inrate = (q+1)*inrate.
-                  So a reasonable upper bound on len*outrate/inrate is
-                  ((q+1)*inrate)*outrate/inrate =
-                  (q+1)*outrate.
-               */
-               ceiling = (q+1) * outrate;
-               nbytes = ceiling * bytes_per_frame;
-               /* See whether anything overflowed; if not, get the space. */
-               if (q+1 < 0 ||
-                   ceiling / outrate != q+1 ||
-                   nbytes / bytes_per_frame != ceiling)
+                  settle for a reasonable upper bound, though, in this
+                  case ceiling(len/inrate) * outrate. */
+
+               /* compute ceiling(len/inrate) without overflow */
+               int q = len > 0 ? 1 + (len - 1) / inrate : 0;
+               if (outrate > INT_MAX / q / bytes_per_frame)
                        str = NULL;
                else
-                       str = PyString_FromStringAndSize(NULL, nbytes);
+                       str = PyString_FromStringAndSize(NULL,
+                                                        q * outrate * bytes_per_frame);
 
                if (str == NULL) {
                        PyErr_SetString(PyExc_MemoryError,
@@ -1136,7 +1123,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
        unsigned char *cp;
        unsigned char cval;
        signed char *ncp;
-       int len, new_len, size, val;
+       int len, size, val;
        PyObject *rv;
        int i;
 
@@ -1149,18 +1136,17 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
                return 0;
        }
     
-       new_len = len*size;
-       if (new_len < 0) {
+       if (len > INT_MAX/size) {
                PyErr_SetString(PyExc_MemoryError,
                        "not enough memory for output buffer");
                return 0;
        }
-       rv = PyString_FromStringAndSize(NULL, new_len);
+       rv = PyString_FromStringAndSize(NULL, len*size);
        if ( rv == 0 )
                return 0;
        ncp = (signed char *)PyString_AsString(rv);
     
-       for ( i=0; i < new_len; i += size ) {
+       for ( i=0; i < len*size; i += size ) {
                cval = *cp++;
                val = st_ulaw_to_linear(cval);
        
@@ -1285,7 +1271,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
 {
        signed char *cp;
        signed char *ncp;
-       int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
+       int len, size, valpred, step, delta, index, sign, vpdiff;
        PyObject *rv, *str, *state;
        int i, inputbuffer = 0, bufferstep;
 
@@ -1307,13 +1293,12 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
        } else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )
                return 0;
     
-       new_len = len*size*2;
-       if (new_len < 0) {
+       if (len > (INT_MAX/2)/size) {
                PyErr_SetString(PyExc_MemoryError,
                                "not enough memory for output buffer");
                return 0;
        }
-       str = PyString_FromStringAndSize(NULL, new_len);
+       str = PyString_FromStringAndSize(NULL, len*size*2);
        if ( str == 0 )
                return 0;
        ncp = (signed char *)PyString_AsString(str);
@@ -1321,7 +1306,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
        step = stepsizeTable[index];
        bufferstep = 0;
     
-       for ( i=0; i < new_len; i += size ) {
+       for ( i=0; i < len*size*2; i += size ) {
                /* Step 1 - get the delta value and compute next index */
                if ( bufferstep ) {
                        delta = inputbuffer & 0xf;
-- 
1.7.3

1	From 7b3960aa54bdf9bfb195fb48e98f5dcc38efa832 Mon Sep 17 00:00:00 2001
2	From: Anssi Hannula <anssi.hannula@iki.fi>
3	Date: Sat, 13 Nov 2010 18:22:25 +0200
4	Subject: [PATCH 11/15] fixed: CVE-2010-1634 in internal python (Mandriva)
5
6	---
7	xbmc/lib/libPython/Python/Modules/audioop.c \| 65 ++++++++++----------------
8	1 files changed, 25 insertions(+), 40 deletions(-)
9
10	diff --git a/xbmc/lib/libPython/Python/Modules/audioop.c b/xbmc/lib/libPython/Python/Modules/audioop.c
11	index 51b6605..598e365 100644
12	--- a/xbmc/lib/libPython/Python/Modules/audioop.c
13	+++ b/xbmc/lib/libPython/Python/Modules/audioop.c
14	@@ -674,7 +674,7 @@ static PyObject *
15	audioop_tostereo(PyObject self, PyObject args)
16	{
17	signed char cp, ncp;
18	- int len, new_len, size, val1, val2, val = 0;
19	+ int len, size, val1, val2, val = 0;
20	double fac1, fac2, fval, maxval;
21	PyObject *rv;
22	int i;
23	@@ -690,14 +690,13 @@ audioop_tostereo(PyObject self, PyObject args)
24	return 0;
25	}
26
27	- new_len = len*2;
28	- if (new_len < 0) {
29	+ if (len > INT_MAX/2) {
30	PyErr_SetString(PyExc_MemoryError,
31	"not enough memory for output buffer");
32	return 0;
33	}
34
35	- rv = PyString_FromStringAndSize(NULL, new_len);
36	+ rv = PyString_FromStringAndSize(NULL, len*2);
37	if ( rv == 0 )
38	return 0;
39	ncp = (signed char *)PyString_AsString(rv);
40	@@ -860,7 +859,7 @@ audioop_lin2lin(PyObject self, PyObject args)
41	{
42	signed char *cp;
43	unsigned char *ncp;
44	- int len, new_len, size, size2, val = 0;
45	+ int len, size, size2, val = 0;
46	PyObject *rv;
47	int i, j;
48
49	@@ -874,13 +873,12 @@ audioop_lin2lin(PyObject self, PyObject args)
50	return 0;
51	}
52
53	- new_len = (len/size)*size2;
54	- if (new_len < 0) {
55	+ if (len/size > INT_MAX/size2) {
56	PyErr_SetString(PyExc_MemoryError,
57	"not enough memory for output buffer");
58	return 0;
59	}
60	- rv = PyString_FromStringAndSize(NULL, new_len);
61	+ rv = PyString_FromStringAndSize(NULL, (len/size)*size2);
62	if ( rv == 0 )
63	return 0;
64	ncp = (unsigned char *)PyString_AsString(rv);
65	@@ -916,7 +914,6 @@ audioop_ratecv(PyObject self, PyObject args)
66	int chan, d, prev_i, cur_i, cur_o;
67	PyObject state, samps, str, rv = NULL;
68	int bytes_per_frame;
69	- size_t alloc_size;
70
71	weightA = 1;
72	weightB = 0;
73	@@ -958,14 +955,13 @@ audioop_ratecv(PyObject self, PyObject args)
74	inrate /= d;
75	outrate /= d;
76
77	- alloc_size = sizeof(int) * (unsigned)nchannels;
78	- if (alloc_size < nchannels) {
79	+ if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) {
80	PyErr_SetString(PyExc_MemoryError,
81	"not enough memory for output buffer");
82	return 0;
83	}
84	- prev_i = (int *) malloc(alloc_size);
85	- cur_i = (int *) malloc(alloc_size);
86	+ prev_i = (int ) malloc(nchannels sizeof(int));
87	+ cur_i = (int ) malloc(nchannels sizeof(int));
88	if (prev_i == NULL \|\| cur_i == NULL) {
89	(void) PyErr_NoMemory();
90	goto exit;
91	@@ -1001,25 +997,16 @@ audioop_ratecv(PyObject self, PyObject args)
92	ceiling(len*outrate/inrate) output frames, and each frame
93	requires bytes_per_frame bytes. Computing this
94	without spurious overflow is the challenge; we can
95	- settle for a reasonable upper bound, though. */
96	- int ceiling; /* the number of output frames */
97	- int nbytes; /* the number of output bytes needed */
98	- int q = len / inrate;
99	- /* Now len = q * inrate + r exactly (with r = len % inrate),
100	- and this is less than q * inrate + inrate = (q+1)*inrate.
101	- So a reasonable upper bound on len*outrate/inrate is
102	- ((q+1)inrate)outrate/inrate =
103	- (q+1)*outrate.
104	- */
105	- ceiling = (q+1) * outrate;
106	- nbytes = ceiling * bytes_per_frame;
107	- /* See whether anything overflowed; if not, get the space. */
108	- if (q+1 < 0 \|\|
109	- ceiling / outrate != q+1 \|\|
110	- nbytes / bytes_per_frame != ceiling)
111	+ settle for a reasonable upper bound, though, in this
112	+ case ceiling(len/inrate) * outrate. */
113	+
114	+ /* compute ceiling(len/inrate) without overflow */
115	+ int q = len > 0 ? 1 + (len - 1) / inrate : 0;
116	+ if (outrate > INT_MAX / q / bytes_per_frame)
117	str = NULL;
118	else
119	- str = PyString_FromStringAndSize(NULL, nbytes);
120	+ str = PyString_FromStringAndSize(NULL,
121	+ q * outrate * bytes_per_frame);
122
123	if (str == NULL) {
124	PyErr_SetString(PyExc_MemoryError,
125	@@ -1136,7 +1123,7 @@ audioop_ulaw2lin(PyObject self, PyObject args)
126	unsigned char *cp;
127	unsigned char cval;
128	signed char *ncp;
129	- int len, new_len, size, val;
130	+ int len, size, val;
131	PyObject *rv;
132	int i;
133
134	@@ -1149,18 +1136,17 @@ audioop_ulaw2lin(PyObject self, PyObject args)
135	return 0;
136	}
137
138	- new_len = len*size;
139	- if (new_len < 0) {
140	+ if (len > INT_MAX/size) {
141	PyErr_SetString(PyExc_MemoryError,
142	"not enough memory for output buffer");
143	return 0;
144	}
145	- rv = PyString_FromStringAndSize(NULL, new_len);
146	+ rv = PyString_FromStringAndSize(NULL, len*size);
147	if ( rv == 0 )
148	return 0;
149	ncp = (signed char *)PyString_AsString(rv);
150
151	- for ( i=0; i < new_len; i += size ) {
152	+ for ( i=0; i < len*size; i += size ) {
153	cval = *cp++;
154	val = st_ulaw_to_linear(cval);
155
156	@@ -1285,7 +1271,7 @@ audioop_adpcm2lin(PyObject self, PyObject args)
157	{
158	signed char *cp;
159	signed char *ncp;
160	- int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
161	+ int len, size, valpred, step, delta, index, sign, vpdiff;
162	PyObject rv, str, *state;
163	int i, inputbuffer = 0, bufferstep;
164
165	@@ -1307,13 +1293,12 @@ audioop_adpcm2lin(PyObject self, PyObject args)
166	} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) )
167	return 0;
168
169	- new_len = lensize2;
170	- if (new_len < 0) {
171	+ if (len > (INT_MAX/2)/size) {
172	PyErr_SetString(PyExc_MemoryError,
173	"not enough memory for output buffer");
174	return 0;
175	}
176	- str = PyString_FromStringAndSize(NULL, new_len);
177	+ str = PyString_FromStringAndSize(NULL, lensize2);
178	if ( str == 0 )
179	return 0;
180	ncp = (signed char *)PyString_AsString(str);
181	@@ -1321,7 +1306,7 @@ audioop_adpcm2lin(PyObject self, PyObject args)
182	step = stepsizeTable[index];
183	bufferstep = 0;
184
185	- for ( i=0; i < new_len; i += size ) {
186	+ for ( i=0; i < lensize2; i += size ) {
187	/* Step 1 - get the delta value and compute next index */
188	if ( bufferstep ) {
189	delta = inputbuffer & 0xf;
190	--
191	1.7.3
192