[issue24456] audioop.adpcm2lin Buffer Over-read

2015-07-05 Thread Arfrever Frehtes Taifersar Arahesis

Changes by Arfrever Frehtes Taifersar Arahesis arfrever@gmail.com:


--
nosy: +Arfrever

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-28 Thread Serhiy Storchaka

Serhiy Storchaka added the comment:

The patch for 2.7 also fixed SystemError and possible memory leak.

--

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-28 Thread Roundup Robot

Roundup Robot added the comment:

New changeset 1f6c096ee772 by Serhiy Storchaka in branch '2.7':
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
https://hg.python.org/cpython/rev/1f6c096ee772

New changeset fd17e168b59f by Serhiy Storchaka in branch '3.4':
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
https://hg.python.org/cpython/rev/fd17e168b59f

New changeset 3039cb5b673c by Serhiy Storchaka in branch '3.5':
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
https://hg.python.org/cpython/rev/3039cb5b673c

New changeset 0e1d9018e74b by Serhiy Storchaka in branch 'default':
Issue #24456: Fixed possible buffer over-read in adpcm2lin() and lin2adpcm()
https://hg.python.org/cpython/rev/0e1d9018e74b

--
nosy: +python-dev

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-28 Thread Serhiy Storchaka

Changes by Serhiy Storchaka storch...@gmail.com:


--
resolution:  - fixed
stage: needs patch - resolved
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-26 Thread Serhiy Storchaka

Changes by Serhiy Storchaka storch...@gmail.com:


--
stage:  - needs patch
versions: +Python 3.4, Python 3.5, Python 3.6

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-26 Thread Serhiy Storchaka

Serhiy Storchaka added the comment:

Here is a patch that checks the state and raises ValueError if integer values 
out of range.

--
keywords: +patch
Added file: http://bugs.python.org/file39816/audioop_adpcm_range_check.patch

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-16 Thread Serhiy Storchaka

Changes by Serhiy Storchaka storch...@gmail.com:


--
assignee:  - serhiy.storchaka
nosy: +serhiy.storchaka

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com



[issue24456] audioop.adpcm2lin Buffer Over-read

2015-06-15 Thread JohnLeitch

New submission from JohnLeitch:

The audioop.adpcm2lin function suffers from a buffer over-read caused by 
unchecked access to stepsizeTable at line 1545 of Modules\audioop.c:

} else if ( !PyArg_ParseTuple(state, ii, valpred, index) )
return 0;

step = stepsizeTable[index];

Because the index variable can be controlled via the third parameter of 
audioop.adpcm2lin, this behavior could potentially be exploited to disclose 
arbitrary memory, should an application expose the parameter to the attack 
surface.

0:000 r
eax=01f13474 ebx= ecx=0002 edx=01f13460 esi=01f13460 edi=0001
eip=1e01c4f0 esp=0027fcdc ebp=7e86ecdd iopl=0 nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010202
python27!audioop_adpcm2lin+0xe0:
1e01c4f0 8b04adb0dd1f1e  mov eax,dword ptr python27!stepsizeTable 
(1e1fddb0)[ebp*4] ss:002b:183b9124=
0:000 k
ChildEBP RetAddr
0027fd18 1e0aafd7 python27!audioop_adpcm2lin+0xe0
0027fd30 1e0edd10 python27!PyCFunction_Call+0x47
0027fd5c 1e0f017a python27!call_function+0x2b0
0027fdcc 1e0f1150 python27!PyEval_EvalFrameEx+0x239a
0027fe00 1e0f11b2 python27!PyEval_EvalCodeEx+0x690
0027fe2c 1e11707a python27!PyEval_EvalCode+0x22
0027fe44 1e1181c5 python27!run_mod+0x2a
0027fe64 1e118760 python27!PyRun_FileExFlags+0x75
0027fea4 1e1190d9 python27!PyRun_SimpleFileExFlags+0x190
0027fec0 1e038d35 python27!PyRun_AnyFileExFlags+0x59
0027ff3c 1d00116d python27!Py_Main+0x965
0027ff80 76477c04 python!__tmainCRTStartup+0x10f
0027ff94 7799ad1f KERNEL32!BaseThreadInitThunk+0x24
0027ffdc 7799acea ntdll!__RtlUserThreadStart+0x2f
0027ffec  ntdll!_RtlUserThreadStart+0x1b
0:000

To fix this issue, it is recommended that bounds checking be performed prior to 
accessing stepsizeTable.

--
files: audioop.adpcm2lin_buffer_over-read.py
messages: 245407
nosy: JohnLeitch
priority: normal
severity: normal
status: open
title: audioop.adpcm2lin Buffer Over-read
type: security
versions: Python 2.7
Added file: 
http://bugs.python.org/file39712/audioop.adpcm2lin_buffer_over-read.py

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue24456
___
___
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com