From 7b3960aa54bdf9bfb195fb48e98f5dcc38efa832 Mon Sep 17 00:00:00 2001 From: Anssi Hannula <anssi.hannula@iki.fi> Date: Sat, 13 Nov 2010 18:22:25 +0200 Subject: [PATCH 11/15] fixed: CVE-2010-1634 in internal python (Mandriva) --- xbmc/lib/libPython/Python/Modules/audioop.c | 65 ++++++++++---------------- 1 files changed, 25 insertions(+), 40 deletions(-) diff --git a/xbmc/lib/libPython/Python/Modules/audioop.c b/xbmc/lib/libPython/Python/Modules/audioop.c index 51b6605..598e365 100644 --- a/xbmc/lib/libPython/Python/Modules/audioop.c +++ b/xbmc/lib/libPython/Python/Modules/audioop.c @@ -674,7 +674,7 @@ static PyObject * audioop_tostereo(PyObject *self, PyObject *args) { signed char *cp, *ncp; - int len, new_len, size, val1, val2, val = 0; + int len, size, val1, val2, val = 0; double fac1, fac2, fval, maxval; PyObject *rv; int i; @@ -690,14 +690,13 @@ audioop_tostereo(PyObject *self, PyObject *args) return 0; } - new_len = len*2; - if (new_len < 0) { + if (len > INT_MAX/2) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyString_FromStringAndSize(NULL, new_len); + rv = PyString_FromStringAndSize(NULL, len*2); if ( rv == 0 ) return 0; ncp = (signed char *)PyString_AsString(rv); @@ -860,7 +859,7 @@ audioop_lin2lin(PyObject *self, PyObject *args) { signed char *cp; unsigned char *ncp; - int len, new_len, size, size2, val = 0; + int len, size, size2, val = 0; PyObject *rv; int i, j; @@ -874,13 +873,12 @@ audioop_lin2lin(PyObject *self, PyObject *args) return 0; } - new_len = (len/size)*size2; - if (new_len < 0) { + if (len/size > INT_MAX/size2) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyString_FromStringAndSize(NULL, new_len); + rv = PyString_FromStringAndSize(NULL, (len/size)*size2); if ( rv == 0 ) return 0; ncp = (unsigned char *)PyString_AsString(rv); @@ -916,7 +914,6 @@ audioop_ratecv(PyObject *self, PyObject *args) int chan, d, *prev_i, *cur_i, cur_o; PyObject *state, *samps, *str, *rv = NULL; int bytes_per_frame; - size_t alloc_size; weightA = 1; weightB = 0; @@ -958,14 +955,13 @@ audioop_ratecv(PyObject *self, PyObject *args) inrate /= d; outrate /= d; - alloc_size = sizeof(int) * (unsigned)nchannels; - if (alloc_size < nchannels) { + if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - prev_i = (int *) malloc(alloc_size); - cur_i = (int *) malloc(alloc_size); + prev_i = (int *) malloc(nchannels * sizeof(int)); + cur_i = (int *) malloc(nchannels * sizeof(int)); if (prev_i == NULL || cur_i == NULL) { (void) PyErr_NoMemory(); goto exit; @@ -1001,25 +997,16 @@ audioop_ratecv(PyObject *self, PyObject *args) ceiling(len*outrate/inrate) output frames, and each frame requires bytes_per_frame bytes. Computing this without spurious overflow is the challenge; we can - settle for a reasonable upper bound, though. */ - int ceiling; /* the number of output frames */ - int nbytes; /* the number of output bytes needed */ - int q = len / inrate; - /* Now len = q * inrate + r exactly (with r = len % inrate), - and this is less than q * inrate + inrate = (q+1)*inrate. - So a reasonable upper bound on len*outrate/inrate is - ((q+1)*inrate)*outrate/inrate = - (q+1)*outrate. - */ - ceiling = (q+1) * outrate; - nbytes = ceiling * bytes_per_frame; - /* See whether anything overflowed; if not, get the space. */ - if (q+1 < 0 || - ceiling / outrate != q+1 || - nbytes / bytes_per_frame != ceiling) + settle for a reasonable upper bound, though, in this + case ceiling(len/inrate) * outrate. */ + + /* compute ceiling(len/inrate) without overflow */ + int q = len > 0 ? 1 + (len - 1) / inrate : 0; + if (outrate > INT_MAX / q / bytes_per_frame) str = NULL; else - str = PyString_FromStringAndSize(NULL, nbytes); + str = PyString_FromStringAndSize(NULL, + q * outrate * bytes_per_frame); if (str == NULL) { PyErr_SetString(PyExc_MemoryError, @@ -1136,7 +1123,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) unsigned char *cp; unsigned char cval; signed char *ncp; - int len, new_len, size, val; + int len, size, val; PyObject *rv; int i; @@ -1149,18 +1136,17 @@ audioop_ulaw2lin(PyObject *self, PyObject *args) return 0; } - new_len = len*size; - if (new_len < 0) { + if (len > INT_MAX/size) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - rv = PyString_FromStringAndSize(NULL, new_len); + rv = PyString_FromStringAndSize(NULL, len*size); if ( rv == 0 ) return 0; ncp = (signed char *)PyString_AsString(rv); - for ( i=0; i < new_len; i += size ) { + for ( i=0; i < len*size; i += size ) { cval = *cp++; val = st_ulaw_to_linear(cval); @@ -1285,7 +1271,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) { signed char *cp; signed char *ncp; - int len, new_len, size, valpred, step, delta, index, sign, vpdiff; + int len, size, valpred, step, delta, index, sign, vpdiff; PyObject *rv, *str, *state; int i, inputbuffer = 0, bufferstep; @@ -1307,13 +1293,12 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) } else if ( !PyArg_Parse(state, "(ii)", &valpred, &index) ) return 0; - new_len = len*size*2; - if (new_len < 0) { + if (len > (INT_MAX/2)/size) { PyErr_SetString(PyExc_MemoryError, "not enough memory for output buffer"); return 0; } - str = PyString_FromStringAndSize(NULL, new_len); + str = PyString_FromStringAndSize(NULL, len*size*2); if ( str == 0 ) return 0; ncp = (signed char *)PyString_AsString(str); @@ -1321,7 +1306,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args) step = stepsizeTable[index]; bufferstep = 0; - for ( i=0; i < new_len; i += size ) { + for ( i=0; i < len*size*2; i += size ) { /* Step 1 - get the delta value and compute next index */ if ( bufferstep ) { delta = inputbuffer & 0xf; -- 1.7.3