[issue2593] alp_ReadFrames() integer overflow leads to buffer overflow

2009-03-29 Thread R. David Murray 

R. David Murray rdmur...@bitdance.com added the comment:

Closed per comments in issue2591.

--
nosy: +bitdancer
resolution:  - wont fix
stage:  - committed/rejected
status: open - closed

___
Python tracker rep...@bugs.python.org
http://bugs.python.org/issue2593
___
___
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue2593] alp_ReadFrames() integer overflow leads to buffer overflow

2008-04-08 Thread Justin Ferguson 

New submission from Justin Ferguson [EMAIL PROTECTED]:

Please see bug 2591 for a suggestion on what to do with these SGI modules.
(sorry I don't have any pocs/repros I dont have an sgi box handy atm)

Integer overflow/invalid allocation at 768, write to memory at 773

 716 static PyObject *
 717 alp_ReadFrames(alpobject *self, PyObject *args)
 718 {
 719 int framecount;
 720 PyObject *v;
 721 int size;
 722 int ch;
 723 ALconfig c;
 724 
 725 if (!PyArg_ParseTuple(args, i:ReadFrames, framecount))
 726 return NULL;
 727 if (framecount  0) {
 728 PyErr_SetString(ErrorObject, negative framecount);
 729 return NULL;
 730 }
[...] 732 switch (alGetSampFmt(c)) {
 733 case AL_SAMPFMT_TWOSCOMP:
 734 switch (alGetWidth(c)) {
 735 case AL_SAMPLE_8:
 736 size = 1;
 737 break;
 738 case AL_SAMPLE_16:
 739 size = 2;
 740 break;
 741 case AL_SAMPLE_24:
 742 size = 4;
 743 break;
 744 default:
 745 PyErr_SetString(ErrorObject, can't
determine width);
 746 alFreeConfig(c);
 747 return NULL;
 748 }
 749 break;
 750 case AL_SAMPFMT_FLOAT:
 751 size = 4;
 752 break;
 753 case AL_SAMPFMT_DOUBLE:
 754 size = 8;
 755 break;
 756 default:
 757 PyErr_SetString(ErrorObject, can't determine format);
 758 alFreeConfig(c);
 759 return NULL;
 760 }
 761 ch = alGetChannels(c);
 762 alFreeConfig(c);
 763 if (ch  0) {
 764 PyErr_SetString(ErrorObject, can't determine # of
channels);
 765 return NULL;
 766 }
 767 size *= ch;
 768 v = PyString_FromStringAndSize((char *) NULL, size *
framecount);
 769 if (v == NULL)
 770 return NULL;
 771 
[...] 
 773 alReadFrames(self-port, (void *) PyString_AS_STRING(v),
framecount);

--
components: Extension Modules
messages: 65183
nosy: jnferguson
severity: normal
status: open
title: alp_ReadFrames() integer overflow leads to buffer overflow
type: security
versions: Python 2.5

__
Tracker [EMAIL PROTECTED]
http://bugs.python.org/issue2593
__
___
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com