[New-bugs-announce] [issue2593] alp_ReadFrames() integer overflow leads to buffer overflow

Justin Ferguson report at bugs.python.org
Tue Apr 8 18:18:29 CEST 2008 

New submission from Justin Ferguson <justin.ferguson at ioactive.com>:

Please see bug 2591 for a suggestion on what to do with these SGI modules.
(sorry I don't have any pocs/repros I dont have an sgi box handy atm)

Integer overflow/invalid allocation at 768, write to memory at 773

 716 static PyObject *
 717 alp_ReadFrames(alpobject *self, PyObject *args)
 718 {
 719         int framecount;
 720         PyObject *v;
 721         int size;
 722         int ch;
 723         ALconfig c;
 724 
 725         if (!PyArg_ParseTuple(args, "i:ReadFrames", &framecount))
 726                 return NULL;
 727         if (framecount < 0) {
 728                 PyErr_SetString(ErrorObject, "negative framecount");
 729                 return NULL;
 730         }
[...] 732         switch (alGetSampFmt(c)) {
 733         case AL_SAMPFMT_TWOSCOMP:
 734                 switch (alGetWidth(c)) {
 735                 case AL_SAMPLE_8:
 736                         size = 1;
 737                         break;
 738                 case AL_SAMPLE_16:
 739                         size = 2;
 740                         break;
 741                 case AL_SAMPLE_24:
 742                         size = 4;
 743                         break;
 744                 default:
 745                         PyErr_SetString(ErrorObject, "can't
determine width");
 746                         alFreeConfig(c);
 747                         return NULL;
 748                 }
 749                 break;
 750         case AL_SAMPFMT_FLOAT:
 751                 size = 4;
 752                 break;
 753         case AL_SAMPFMT_DOUBLE:
 754                 size = 8;
 755                 break;
 756         default:
 757                 PyErr_SetString(ErrorObject, "can't determine format");
 758                 alFreeConfig(c);
 759                 return NULL;
 760         }
 761         ch = alGetChannels(c);
 762         alFreeConfig(c);
 763         if (ch < 0) {
 764                 PyErr_SetString(ErrorObject, "can't determine # of
channels");
 765                 return NULL;
 766         }
 767         size *= ch;
 768         v = PyString_FromStringAndSize((char *) NULL, size *
framecount);
 769         if (v == NULL)
 770                 return NULL;
 771 
[...] 
 773         alReadFrames(self->port, (void *) PyString_AS_STRING(v),
framecount);

----------
components: Extension Modules
messages: 65183
nosy: jnferguson
severity: normal
status: open
title: alp_ReadFrames() integer overflow leads to buffer overflow
type: security
versions: Python 2.5

__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2593>
__________________________________

More information about the New-bugs-announce mailing list