New submission from STINNER Victor <[email protected]>:
Most functions of audioop takes as input a byte string (audio data) and a size
argument (number of bytes of a sample). Functions don't check that the byte
string length is a multiple of the size. It leads to read and write from/to
uninitialised memory and might crash.
Example on writing into uninitilized memory:
$ python -c "import audioop; audioop.reverse('X', 2)"
Fatal Python error: Inconsistent interned string state.
Abandon
It allocates a string of 1 byte and write 2 bytes into this string => memory
corruption.
Attached patch creates audioop_check_size() and audioop_check_parameters()
functions.
----------
components: Extension Modules
files: audioop_check_length.patch
keywords: patch
messages: 97566
nosy: haypo
severity: normal
status: open
title: audioop: check that length is a multiple of the size
type: crash
versions: Python 2.7, Python 3.2
Added file: http://bugs.python.org/file15823/audioop_check_length.patch
_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue7673>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
