[New-bugs-announce] [issue2593] alp_ReadFrames() integer overflow leads to buffer overflow
Justin Ferguson
report at bugs.python.org
Tue Apr 8 18:18:29 CEST 2008
New submission from Justin Ferguson <justin.ferguson at ioactive.com>:
Please see bug 2591 for a suggestion on what to do with these SGI modules.
(sorry I don't have any pocs/repros I dont have an sgi box handy atm)
Integer overflow/invalid allocation at 768, write to memory at 773
716 static PyObject *
717 alp_ReadFrames(alpobject *self, PyObject *args)
718 {
719 int framecount;
720 PyObject *v;
721 int size;
722 int ch;
723 ALconfig c;
724
725 if (!PyArg_ParseTuple(args, "i:ReadFrames", &framecount))
726 return NULL;
727 if (framecount < 0) {
728 PyErr_SetString(ErrorObject, "negative framecount");
729 return NULL;
730 }
[...] 732 switch (alGetSampFmt(c)) {
733 case AL_SAMPFMT_TWOSCOMP:
734 switch (alGetWidth(c)) {
735 case AL_SAMPLE_8:
736 size = 1;
737 break;
738 case AL_SAMPLE_16:
739 size = 2;
740 break;
741 case AL_SAMPLE_24:
742 size = 4;
743 break;
744 default:
745 PyErr_SetString(ErrorObject, "can't
determine width");
746 alFreeConfig(c);
747 return NULL;
748 }
749 break;
750 case AL_SAMPFMT_FLOAT:
751 size = 4;
752 break;
753 case AL_SAMPFMT_DOUBLE:
754 size = 8;
755 break;
756 default:
757 PyErr_SetString(ErrorObject, "can't determine format");
758 alFreeConfig(c);
759 return NULL;
760 }
761 ch = alGetChannels(c);
762 alFreeConfig(c);
763 if (ch < 0) {
764 PyErr_SetString(ErrorObject, "can't determine # of
channels");
765 return NULL;
766 }
767 size *= ch;
768 v = PyString_FromStringAndSize((char *) NULL, size *
framecount);
769 if (v == NULL)
770 return NULL;
771
[...]
773 alReadFrames(self->port, (void *) PyString_AS_STRING(v),
framecount);
----------
components: Extension Modules
messages: 65183
nosy: jnferguson
severity: normal
status: open
title: alp_ReadFrames() integer overflow leads to buffer overflow
type: security
versions: Python 2.5
__________________________________
Tracker <report at bugs.python.org>
<http://bugs.python.org/issue2593>
__________________________________
More information about the New-bugs-announce
mailing list