[New-bugs-announce] [issue8674] audioop: incorrect integer overflow checks

Tomas Hoger report at bugs.python.org
Mon May 10 15:43:29 CEST 2010

New submission from Tomas Hoger <thoger at redhat.com>:

SVN commit r64114 added integer overflow checks to multiple modules.  Checks added to audioop module are incorrect and can still be bypassed:


- audioop_tostereo - should be fine, but relies on undefined behaviour
- audioop_lin2lin - undetected overflow: size=1, size2=4, len=0x40000001
- audioop_ratecv - undetected overflow: nchannels=0x5fffffff (32bit)
- audioop_ulaw2lin - undetected overflow: size=4, len=0x40000001
- audioop_alaw2lin - same as audioop_ulaw2lin
- audioop_adpcm2lin - undetected overflow: size=4, len=0x20000001

Most of these are triggered by large fragment as an input.

Attached patch replaces checks added in r64114 by checks using INT_MAX.

components: Extension Modules
files: python2.6-audioop-int-overflows.diff
keywords: patch
messages: 105434
nosy: thoger
priority: normal
severity: normal
status: open
title: audioop: incorrect integer overflow checks
type: security
versions: Python 2.6
Added file: http://bugs.python.org/file17281/python2.6-audioop-int-overflows.diff

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list