Package: python2.5
Severity: grave
Tags: security
CVE-2010-1634 and CVE-2010-2089 are fixed in the other Python packages
in Squeeze, but still unfixed for python2.5.
Patch attached.
Cheers,
Moritz
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=C, lc_ctype=de_de.iso-8859...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages python2.5 depends on:
ii libbz2-1.0 1.0.5-4 high-quality block-sorting file co
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
pn libdb4.5 <none> (no description available)
ii libncursesw5 5.7+20100313-2 shared libraries for terminal hand
ii libreadline6 6.1-3 GNU readline and history libraries
ii libsqlite3-0 3.7.0.1-1 SQLite 3 shared library
ii libssl0.9.8 0.9.8o-1 SSL shared libraries
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
pn python2.5-minimal <none> (no description available)
python2.5 recommends no packages.
Versions of packages python2.5 suggests:
pn python-profiler <none> (no description available)
pn python2.5-doc <none> (no description available)
--- Modules/audioop.c.orig 2008-07-07 19:02:59.000000000 +0200
+++ python2.5-2.5.5/Modules/audioop.c 2010-05-10 15:35:23.000000000 +0200
@@ -829,7 +829,7 @@ static PyObject *
audioop_tostereo(PyObject *self, PyObject *args)
{
signed char *cp, *ncp;
- int len, new_len, size, val1, val2, val = 0;
+ int len, size, val1, val2, val = 0;
double fac1, fac2, fval, maxval;
PyObject *rv;
int i;
@@ -846,14 +846,13 @@ audioop_tostereo(PyObject *self, PyObjec
return 0;
}
- new_len = len*2;
- if (new_len < 0) {
+ if (len > INT_MAX/2) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- rv = PyString_FromStringAndSize(NULL, new_len);
+ rv = PyString_FromStringAndSize(NULL, len*2);
if ( rv == 0 )
return 0;
ncp = (signed char *)PyString_AsString(rv);
@@ -1016,7 +1015,7 @@ audioop_lin2lin(PyObject *self, PyObject
{
signed char *cp;
unsigned char *ncp;
- int len, new_len, size, size2, val = 0;
+ int len, size, size2, val = 0;
PyObject *rv;
int i, j;
@@ -1030,13 +1029,12 @@ audioop_lin2lin(PyObject *self, PyObject
return 0;
}
- new_len = (len/size)*size2;
- if (new_len < 0) {
+ if (len/size > INT_MAX/size2) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- rv = PyString_FromStringAndSize(NULL, new_len);
+ rv = PyString_FromStringAndSize(NULL, (len/size)*size2);
if ( rv == 0 )
return 0;
ncp = (unsigned char *)PyString_AsString(rv);
@@ -1072,7 +1070,6 @@ audioop_ratecv(PyObject *self, PyObject
int chan, d, *prev_i, *cur_i, cur_o;
PyObject *state, *samps, *str, *rv = NULL;
int bytes_per_frame;
- size_t alloc_size;
weightA = 1;
weightB = 0;
@@ -1115,14 +1112,13 @@ audioop_ratecv(PyObject *self, PyObject
inrate /= d;
outrate /= d;
- alloc_size = sizeof(int) * (unsigned)nchannels;
- if (alloc_size < nchannels) {
+ if (nchannels > PY_SIZE_MAX/sizeof(int)) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- prev_i = (int *) malloc(alloc_size);
- cur_i = (int *) malloc(alloc_size);
+ prev_i = (int *) malloc(nchannels * sizeof(int));
+ cur_i = (int *) malloc(nchannels * sizeof(int));
if (prev_i == NULL || cur_i == NULL) {
(void) PyErr_NoMemory();
goto exit;
@@ -1296,7 +1292,7 @@ audioop_ulaw2lin(PyObject *self, PyObjec
unsigned char *cp;
unsigned char cval;
signed char *ncp;
- int len, new_len, size, val;
+ int len, size, val;
PyObject *rv;
int i;
@@ -1309,18 +1305,17 @@ audioop_ulaw2lin(PyObject *self, PyObjec
return 0;
}
- new_len = len*size;
- if (new_len < 0) {
+ if (len > INT_MAX/size) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- rv = PyString_FromStringAndSize(NULL, new_len);
+ rv = PyString_FromStringAndSize(NULL, len*size);
if ( rv == 0 )
return 0;
ncp = (signed char *)PyString_AsString(rv);
- for ( i=0; i < new_len; i += size ) {
+ for ( i=0; i < len*size; i += size ) {
cval = *cp++;
val = st_ulaw2linear16(cval);
@@ -1370,7 +1365,7 @@ audioop_alaw2lin(PyObject *self, PyObjec
unsigned char *cp;
unsigned char cval;
signed char *ncp;
- int len, new_len, size, val;
+ int len, size, val;
PyObject *rv;
int i;
@@ -1383,18 +1378,17 @@ audioop_alaw2lin(PyObject *self, PyObjec
return 0;
}
- new_len = len*size;
- if (new_len < 0) {
+ if (len > INT_MAX/size) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- rv = PyString_FromStringAndSize(NULL, new_len);
+ rv = PyString_FromStringAndSize(NULL, len*size);
if ( rv == 0 )
return 0;
ncp = (signed char *)PyString_AsString(rv);
- for ( i=0; i < new_len; i += size ) {
+ for ( i=0; i < len*size; i += size ) {
cval = *cp++;
val = st_alaw2linear16(cval);
@@ -1519,7 +1513,7 @@ audioop_adpcm2lin(PyObject *self, PyObje
{
signed char *cp;
signed char *ncp;
- int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
+ int len, size, valpred, step, delta, index, sign, vpdiff;
PyObject *rv, *str, *state;
int i, inputbuffer = 0, bufferstep;
@@ -1541,13 +1535,12 @@ audioop_adpcm2lin(PyObject *self, PyObje
} else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
return 0;
- new_len = len*size*2;
- if (new_len < 0) {
+ if (len > (INT_MAX/size)/2) {
PyErr_SetString(PyExc_MemoryError,
"not enough memory for output buffer");
return 0;
}
- str = PyString_FromStringAndSize(NULL, new_len);
+ str = PyString_FromStringAndSize(NULL, len*size*2);
if ( str == 0 )
return 0;
ncp = (signed char *)PyString_AsString(str);
@@ -1555,7 +1548,7 @@ audioop_adpcm2lin(PyObject *self, PyObje
step = stepsizeTable[index];
bufferstep = 0;
- for ( i=0; i < new_len; i += size ) {
+ for ( i=0; i < len*size*2; i += size ) {
/* Step 1 - get the delta value and compute next index */
if ( bufferstep ) {
delta = inputbuffer & 0xf;
--- a/Modules/audioop.c
+++ python2.5-2.5.5/Modules/audioop.c
@@ -295,6 +295,29 @@ static int stepsizeTable[89] = {
static PyObject *AudioopError;
+static int
+audioop_check_size(int size)
+{
+ if ( size != 1 && size != 2 && size != 4 ) {
+ PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+ return 0;
+ } else {
+ return 1;
+ }
+}
+
+static int
+audioop_check_parameters(int len, int size)
+{
+ if (!audioop_check_size(size))
+ return 0;
+ if ( len % size != 0 ) {
+ PyErr_SetString(AudioopError, "not a whole number of frames");
+ return 0;
+ }
+ return 1;
+}
+
static PyObject *
audioop_getsample(PyObject *self, PyObject *args)
{
@@ -304,10 +327,8 @@ audioop_getsample(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii:getsample", &cp, &len, &size, &i) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
if ( i < 0 || i >= len/size ) {
PyErr_SetString(AudioopError, "Index out of range");
return 0;
@@ -328,10 +349,8 @@ audioop_max(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:max", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
for ( i=0; i<len; i+= size) {
if ( size == 1 ) val = (int)*CHARP(cp, i);
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -352,10 +371,8 @@ audioop_minmax(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s#i:minmax", &cp, &len, &size))
return NULL;
- if (size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+ if (!audioop_check_parameters(len, size))
return NULL;
- }
for (i = 0; i < len; i += size) {
if (size == 1) val = (int) *CHARP(cp, i);
else if (size == 2) val = (int) *SHORTP(cp, i);
@@ -376,10 +393,8 @@ audioop_avg(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:avg", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
for ( i=0; i<len; i+= size) {
if ( size == 1 ) val = (int)*CHARP(cp, i);
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -403,10 +418,8 @@ audioop_rms(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:rms", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
for ( i=0; i<len; i+= size) {
if ( size == 1 ) val = (int)*CHARP(cp, i);
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -614,10 +627,8 @@ audioop_avgpp(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:avgpp", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
/* Compute first delta value ahead. Also automatically makes us
** skip the first extreme value
*/
@@ -671,10 +682,8 @@ audioop_maxpp(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:maxpp", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
/* Compute first delta value ahead. Also automatically makes us
** skip the first extreme value
*/
@@ -722,10 +731,8 @@ audioop_cross(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:cross", &cp, &len, &size) )
return 0;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
ncross = -1;
prevval = 17; /* Anything <> 0,1 */
for ( i=0; i<len; i+= size) {
@@ -750,6 +757,8 @@ audioop_mul(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#id:mul", &cp, &len, &size, &factor ) )
return 0;
+ if (!audioop_check_parameters(len, size))
+ return NULL;
if ( size == 1 ) maxval = (double) 0x7f;
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -792,6 +801,12 @@ audioop_tomono(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#idd:tomono",
&cp, &len, &size, &fac1, &fac2 ) )
return 0;
+ if (!audioop_check_parameters(len, size))
+ return NULL;
+ if ( ((len / size) & 1) != 0 ) {
+ PyErr_SetString(AudioopError, "not a whole number of frames");
+ return NULL;
+ }
if ( size == 1 ) maxval = (double) 0x7f;
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -837,6 +852,8 @@ audioop_tostereo(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#idd:tostereo",
&cp, &len, &size, &fac1, &fac2 ) )
return 0;
+ if (!audioop_check_parameters(len, size))
+ return NULL;
if ( size == 1 ) maxval = (double) 0x7f;
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -896,7 +913,8 @@ audioop_add(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#s#i:add",
&cp1, &len1, &cp2, &len2, &size ) )
return 0;
-
+ if (!audioop_check_parameters(len1, size))
+ return NULL;
if ( len1 != len2 ) {
PyErr_SetString(AudioopError, "Lengths should be the same");
return 0;
@@ -950,11 +968,8 @@ audioop_bias(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii:bias",
&cp, &len, &size , &bias) )
return 0;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
rv = PyString_FromStringAndSize(NULL, len);
if ( rv == 0 )
@@ -986,12 +1001,9 @@ audioop_reverse(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:reverse",
&cp, &len, &size) )
return 0;
+ if (!audioop_check_parameters(len, size))
+ return NULL;
- if ( size != 1 && size != 2 && size != 4 ) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
-
rv = PyString_FromStringAndSize(NULL, len);
if ( rv == 0 )
return 0;
@@ -1023,12 +1035,10 @@ audioop_lin2lin(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#ii:lin2lin",
&cp, &len, &size, &size2) )
return 0;
-
- if ( (size != 1 && size != 2 && size != 4) ||
- (size2 != 1 && size2 != 2 && size2 != 4)) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
+ if (!audioop_check_size(size2))
+ return NULL;
new_len = (len/size)*size2;
if (new_len < 0) {
@@ -1080,10 +1090,8 @@ audioop_ratecv(PyObject *self, PyObject *args)
&nchannels, &inrate, &outrate, &state,
&weightA, &weightB))
return NULL;
- if (size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
+ if (!audioop_check_size(size))
return NULL;
- }
if (nchannels < 1) {
PyErr_SetString(AudioopError, "# of channels should be >= 1");
return NULL;
@@ -1269,11 +1277,8 @@ audioop_lin2ulaw(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:lin2ulaw",
&cp, &len, &size) )
return 0 ;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
rv = PyString_FromStringAndSize(NULL, len/size);
if ( rv == 0 )
@@ -1303,11 +1308,8 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:ulaw2lin",
&cp, &len, &size) )
return 0;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_size(size))
+ return NULL;
new_len = len*size;
if (new_len < 0) {
@@ -1343,11 +1345,8 @@ audioop_lin2alaw(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:lin2alaw",
&cp, &len, &size) )
return 0;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
rv = PyString_FromStringAndSize(NULL, len/size);
if ( rv == 0 )
@@ -1377,11 +1376,8 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#i:alaw2lin",
&cp, &len, &size) )
return 0;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_size(size))
+ return NULL;
new_len = len*size;
if (new_len < 0) {
@@ -1418,12 +1414,8 @@ audioop_lin2adpcm(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#iO:lin2adpcm",
&cp, &len, &size, &state) )
return 0;
-
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_parameters(len, size))
+ return NULL;
str = PyString_FromStringAndSize(NULL, len/(size*2));
if ( str == 0 )
@@ -1526,11 +1518,8 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
if ( !PyArg_ParseTuple(args, "s#iO:adpcm2lin",
&cp, &len, &size, &state) )
return 0;
-
- if ( size != 1 && size != 2 && size != 4) {
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
- return 0;
- }
+ if (!audioop_check_size(size))
+ return NULL;
/* Decode state, should have (value, step) */
if ( state == Py_None ) {
