New submission from Tomas Hoger <tho...@redhat.com>: SVN commit r64114 added integer overflow checks to multiple modules. Checks added to audioop module are incorrect and can still be bypassed:
http://svn.python.org/view/python/trunk/Modules/audioop.c?r1=64114&r2=64113 - audioop_tostereo - should be fine, but relies on undefined behaviour - audioop_lin2lin - undetected overflow: size=1, size2=4, len=0x40000001 - audioop_ratecv - undetected overflow: nchannels=0x5fffffff (32bit) - audioop_ulaw2lin - undetected overflow: size=4, len=0x40000001 - audioop_alaw2lin - same as audioop_ulaw2lin - audioop_adpcm2lin - undetected overflow: size=4, len=0x20000001 Most of these are triggered by large fragment as an input. Attached patch replaces checks added in r64114 by checks using INT_MAX. ---------- components: Extension Modules files: python2.6-audioop-int-overflows.diff keywords: patch messages: 105434 nosy: thoger priority: normal severity: normal status: open title: audioop: incorrect integer overflow checks type: security versions: Python 2.6 Added file: http://bugs.python.org/file17281/python2.6-audioop-int-overflows.diff _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue8674> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
