1 |
From 7b3960aa54bdf9bfb195fb48e98f5dcc38efa832 Mon Sep 17 00:00:00 2001 |
2 |
From: Anssi Hannula <anssi.hannula@iki.fi> |
3 |
Date: Sat, 13 Nov 2010 18:22:25 +0200 |
4 |
Subject: [PATCH 11/15] fixed: CVE-2010-1634 in internal python (Mandriva) |
5 |
|
6 |
--- |
7 |
xbmc/lib/libPython/Python/Modules/audioop.c | 65 ++++++++++---------------- |
8 |
1 files changed, 25 insertions(+), 40 deletions(-) |
9 |
|
10 |
diff --git a/xbmc/lib/libPython/Python/Modules/audioop.c b/xbmc/lib/libPython/Python/Modules/audioop.c |
11 |
index 51b6605..598e365 100644 |
12 |
--- a/xbmc/lib/libPython/Python/Modules/audioop.c |
13 |
+++ b/xbmc/lib/libPython/Python/Modules/audioop.c |
14 |
@@ -674,7 +674,7 @@ static PyObject * |
15 |
audioop_tostereo(PyObject *self, PyObject *args) |
16 |
{ |
17 |
signed char *cp, *ncp; |
18 |
- int len, new_len, size, val1, val2, val = 0; |
19 |
+ int len, size, val1, val2, val = 0; |
20 |
double fac1, fac2, fval, maxval; |
21 |
PyObject *rv; |
22 |
int i; |
23 |
@@ -690,14 +690,13 @@ audioop_tostereo(PyObject *self, PyObject *args) |
24 |
return 0; |
25 |
} |
26 |
|
27 |
- new_len = len*2; |
28 |
- if (new_len < 0) { |
29 |
+ if (len > INT_MAX/2) { |
30 |
PyErr_SetString(PyExc_MemoryError, |
31 |
"not enough memory for output buffer"); |
32 |
return 0; |
33 |
} |
34 |
|
35 |
- rv = PyString_FromStringAndSize(NULL, new_len); |
36 |
+ rv = PyString_FromStringAndSize(NULL, len*2); |
37 |
if ( rv == 0 ) |
38 |
return 0; |
39 |
ncp = (signed char *)PyString_AsString(rv); |
40 |
@@ -860,7 +859,7 @@ audioop_lin2lin(PyObject *self, PyObject *args) |
41 |
{ |
42 |
signed char *cp; |
43 |
unsigned char *ncp; |
44 |
- int len, new_len, size, size2, val = 0; |
45 |
+ int len, size, size2, val = 0; |
46 |
PyObject *rv; |
47 |
int i, j; |
48 |
|
49 |
@@ -874,13 +873,12 @@ audioop_lin2lin(PyObject *self, PyObject *args) |
50 |
return 0; |
51 |
} |
52 |
|
53 |
- new_len = (len/size)*size2; |
54 |
- if (new_len < 0) { |
55 |
+ if (len/size > INT_MAX/size2) { |
56 |
PyErr_SetString(PyExc_MemoryError, |
57 |
"not enough memory for output buffer"); |
58 |
return 0; |
59 |
} |
60 |
- rv = PyString_FromStringAndSize(NULL, new_len); |
61 |
+ rv = PyString_FromStringAndSize(NULL, (len/size)*size2); |
62 |
if ( rv == 0 ) |
63 |
return 0; |
64 |
ncp = (unsigned char *)PyString_AsString(rv); |
65 |
@@ -916,7 +914,6 @@ audioop_ratecv(PyObject *self, PyObject *args) |
66 |
int chan, d, *prev_i, *cur_i, cur_o; |
67 |
PyObject *state, *samps, *str, *rv = NULL; |
68 |
int bytes_per_frame; |
69 |
- size_t alloc_size; |
70 |
|
71 |
weightA = 1; |
72 |
weightB = 0; |
73 |
@@ -958,14 +955,13 @@ audioop_ratecv(PyObject *self, PyObject *args) |
74 |
inrate /= d; |
75 |
outrate /= d; |
76 |
|
77 |
- alloc_size = sizeof(int) * (unsigned)nchannels; |
78 |
- if (alloc_size < nchannels) { |
79 |
+ if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) { |
80 |
PyErr_SetString(PyExc_MemoryError, |
81 |
"not enough memory for output buffer"); |
82 |
return 0; |
83 |
} |
84 |
- prev_i = (int *) malloc(alloc_size); |
85 |
- cur_i = (int *) malloc(alloc_size); |
86 |
+ prev_i = (int *) malloc(nchannels * sizeof(int)); |
87 |
+ cur_i = (int *) malloc(nchannels * sizeof(int)); |
88 |
if (prev_i == NULL || cur_i == NULL) { |
89 |
(void) PyErr_NoMemory(); |
90 |
goto exit; |
91 |
@@ -1001,25 +997,16 @@ audioop_ratecv(PyObject *self, PyObject *args) |
92 |
ceiling(len*outrate/inrate) output frames, and each frame |
93 |
requires bytes_per_frame bytes. Computing this |
94 |
without spurious overflow is the challenge; we can |
95 |
- settle for a reasonable upper bound, though. */ |
96 |
- int ceiling; /* the number of output frames */ |
97 |
- int nbytes; /* the number of output bytes needed */ |
98 |
- int q = len / inrate; |
99 |
- /* Now len = q * inrate + r exactly (with r = len % inrate), |
100 |
- and this is less than q * inrate + inrate = (q+1)*inrate. |
101 |
- So a reasonable upper bound on len*outrate/inrate is |
102 |
- ((q+1)*inrate)*outrate/inrate = |
103 |
- (q+1)*outrate. |
104 |
- */ |
105 |
- ceiling = (q+1) * outrate; |
106 |
- nbytes = ceiling * bytes_per_frame; |
107 |
- /* See whether anything overflowed; if not, get the space. */ |
108 |
- if (q+1 < 0 || |
109 |
- ceiling / outrate != q+1 || |
110 |
- nbytes / bytes_per_frame != ceiling) |
111 |
+ settle for a reasonable upper bound, though, in this |
112 |
+ case ceiling(len/inrate) * outrate. */ |
113 |
+ |
114 |
+ /* compute ceiling(len/inrate) without overflow */ |
115 |
+ int q = len > 0 ? 1 + (len - 1) / inrate : 0; |
116 |
+ if (outrate > INT_MAX / q / bytes_per_frame) |
117 |
str = NULL; |
118 |
else |
119 |
- str = PyString_FromStringAndSize(NULL, nbytes); |
120 |
+ str = PyString_FromStringAndSize(NULL, |
121 |
+ q * outrate * bytes_per_frame); |
122 |
|
123 |
if (str == NULL) { |
124 |
PyErr_SetString(PyExc_MemoryError, |
125 |
@@ -1136,7 +1123,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) |
126 |
unsigned char *cp; |
127 |
unsigned char cval; |
128 |
signed char *ncp; |
129 |
- int len, new_len, size, val; |
130 |
+ int len, size, val; |
131 |
PyObject *rv; |
132 |
int i; |
133 |
|
134 |
@@ -1149,18 +1136,17 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) |
135 |
return 0; |
136 |
} |
137 |
|
138 |
- new_len = len*size; |
139 |
- if (new_len < 0) { |
140 |
+ if (len > INT_MAX/size) { |
141 |
PyErr_SetString(PyExc_MemoryError, |
142 |
"not enough memory for output buffer"); |
143 |
return 0; |
144 |
} |
145 |
- rv = PyString_FromStringAndSize(NULL, new_len); |
146 |
+ rv = PyString_FromStringAndSize(NULL, len*size); |
147 |
if ( rv == 0 ) |
148 |
return 0; |
149 |
ncp = (signed char *)PyString_AsString(rv); |
150 |
|
151 |
- for ( i=0; i < new_len; i += size ) { |
152 |
+ for ( i=0; i < len*size; i += size ) { |
153 |
cval = *cp++; |
154 |
val = st_ulaw_to_linear(cval); |
155 |
|
156 |
@@ -1285,7 +1271,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) |
157 |
{ |
158 |
signed char *cp; |
159 |
signed char *ncp; |
160 |
- int len, new_len, size, valpred, step, delta, index, sign, vpdiff; |
161 |
+ int len, size, valpred, step, delta, index, sign, vpdiff; |
162 |
PyObject *rv, *str, *state; |
163 |
int i, inputbuffer = 0, bufferstep; |
164 |
|
165 |
@@ -1307,13 +1293,12 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) |
166 |
} else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) ) |
167 |
return 0; |
168 |
|
169 |
- new_len = len*size*2; |
170 |
- if (new_len < 0) { |
171 |
+ if (len > (INT_MAX/2)/size) { |
172 |
PyErr_SetString(PyExc_MemoryError, |
173 |
"not enough memory for output buffer"); |
174 |
return 0; |
175 |
} |
176 |
- str = PyString_FromStringAndSize(NULL, new_len); |
177 |
+ str = PyString_FromStringAndSize(NULL, len*size*2); |
178 |
if ( str == 0 ) |
179 |
return 0; |
180 |
ncp = (signed char *)PyString_AsString(str); |
181 |
@@ -1321,7 +1306,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) |
182 |
step = stepsizeTable[index]; |
183 |
bufferstep = 0; |
184 |
|
185 |
- for ( i=0; i < new_len; i += size ) { |
186 |
+ for ( i=0; i < len*size*2; i += size ) { |
187 |
/* Step 1 - get the delta value and compute next index */ |
188 |
if ( bufferstep ) { |
189 |
delta = inputbuffer & 0xf; |
190 |
-- |
191 |
1.7.3 |
192 |
|