changeset: 96704:3039cb5b673c branch: 3.5 parent: 96699:20aa7083057e parent: 96703:fd17e168b59f user: Serhiy Storchaka date: Sun Jun 28 17:55:33 2015 +0300 files: Misc/NEWS Modules/audioop.c description: Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm() functions of the audioop module. diff -r 20aa7083057e -r 3039cb5b673c Lib/test/test_audioop.py --- a/Lib/test/test_audioop.py Sun Jun 28 17:08:35 2015 +0300 +++ b/Lib/test/test_audioop.py Sun Jun 28 17:55:33 2015 +0300 @@ -273,6 +273,16 @@ # state must be a tuple or None, not an integer self.assertRaises(TypeError, audioop.adpcm2lin, b'\0', 1, 555) self.assertRaises(TypeError, audioop.lin2adpcm, b'\0', 1, 555) + # Issues #24456, #24457: index out of range + self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0, -1)) + self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0, 89)) + self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0, -1)) + self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0, 89)) + # value out of range + self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (-0x8001, 0)) + self.assertRaises(ValueError, audioop.adpcm2lin, b'\0', 1, (0x8000, 0)) + self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (-0x8001, 0)) + self.assertRaises(ValueError, audioop.lin2adpcm, b'\0', 1, (0x8000, 0)) def test_lin2alaw(self): self.assertEqual(audioop.lin2alaw(datas[1], 1), diff -r 20aa7083057e -r 3039cb5b673c Misc/NEWS --- a/Misc/NEWS Sun Jun 28 17:08:35 2015 +0300 +++ b/Misc/NEWS Sun Jun 28 17:55:33 2015 +0300 @@ -25,6 +25,9 @@ Library ------- +- Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm() + functions of the audioop module. + - Issue #24336: The contextmanager decorator now works with functions with keyword arguments called "func" and "self". Patch by Martin Panter. diff -r 20aa7083057e -r 3039cb5b673c Modules/audioop.c --- a/Modules/audioop.c Sun Jun 28 17:08:35 2015 +0300 +++ b/Modules/audioop.c Sun Jun 28 17:55:33 2015 +0300 @@ -1627,22 +1627,29 @@ if (!audioop_check_parameters(fragment->len, width)) return NULL; - str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2)); - if (str == NULL) - return NULL; - ncp = (signed char *)PyBytes_AsString(str); - /* Decode state, should have (value, step) */ if ( state == Py_None ) { /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if (!PyTuple_Check(state)) { + } + else if (!PyTuple_Check(state)) { PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); - goto exit; - } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { - goto exit; + return NULL; + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { + return NULL; } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) { + PyErr_SetString(PyExc_ValueError, "bad state"); + return NULL; + } + + str = PyBytes_FromStringAndSize(NULL, fragment->len/(width*2)); + if (str == NULL) + return NULL; + ncp = (signed char *)PyBytes_AsString(str); step = stepsizeTable[index]; bufferstep = 1; @@ -1718,8 +1725,6 @@ bufferstep = !bufferstep; } rv = Py_BuildValue("(O(ii))", str, valpred, index); - - exit: Py_DECREF(str); return rv; } @@ -1755,11 +1760,19 @@ /* First time, it seems. Set defaults */ valpred = 0; index = 0; - } else if (!PyTuple_Check(state)) { + } + else if (!PyTuple_Check(state)) { PyErr_SetString(PyExc_TypeError, "state must be a tuple or None"); return NULL; - } else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) + } + else if (!PyArg_ParseTuple(state, "ii", &valpred, &index)) { return NULL; + } + else if (valpred >= 0x8000 || valpred < -0x8000 || + (size_t)index >= Py_ARRAY_LENGTH(stepsizeTable)) { + PyErr_SetString(PyExc_ValueError, "bad state"); + return NULL; + } if (fragment->len > (PY_SSIZE_T_MAX/2)/width) { PyErr_SetString(PyExc_MemoryError,