Skip to content

Commit b7180a8

Browse files
doko42doko42
committed
Merge r82494 from the python2.6 branch:
 Issue python#7673: Fix security vulnerability (CVE-2010-2089) in the audioop module, ensure that the input string length is a multiple of the frame size
1 parent d4367c2 commit b7180a8

File tree

2 files changed

+74
-73
lines changed

2 files changed

+74
-73
lines changed

Misc/NEWS

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ Library
1515
- Issue #8674: Fixed a number of incorrect or undefined-behaviour-inducing
1616
overflow checks in the audioop module (CVE-2010-1634).
1717

18+
- Issue #7673: Fix security vulnerability (CVE-2010-2089) in the audioop
19+
module, ensure that the input string length is a multiple of the frame size.
20+
1821

1922
What's New in Python 2.5.5?
2023
===========================

Modules/audioop.c

Lines changed: 71 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -295,6 +295,29 @@ static int stepsizeTable[89] = {
295295

296296
static PyObject *AudioopError;
297297

298+
static int
299+
audioop_check_size(int size)
300+
{
301+
if (size != 1 && size != 2 && size != 4) {
302+
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
303+
return 0;
304+
}
305+
else
306+
return 1;
307+
}
308+
309+
static int
310+
audioop_check_parameters(int len, int size)
311+
{
312+
if (!audioop_check_size(size))
313+
return 0;
314+
if (len % size != 0) {
315+
PyErr_SetString(AudioopError, "not a whole number of frames");
316+
return 0;
317+
}
318+
return 1;
319+
}
320+
298321
static PyObject *
299322
audioop_getsample(PyObject *self, PyObject *args)
300323
{
@@ -304,10 +327,8 @@ audioop_getsample(PyObject *self, PyObject *args)
304327

305328
if ( !PyArg_ParseTuple(args, "s#ii:getsample", &cp, &len, &size, &i) )
306329
return 0;
307-
if ( size != 1 && size != 2 && size != 4 ) {
308-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
309-
return 0;
310-
}
330+
if (!audioop_check_parameters(len, size))
331+
return NULL;
311332
if ( i < 0 || i >= len/size ) {
312333
PyErr_SetString(AudioopError, "Index out of range");
313334
return 0;
@@ -328,10 +349,8 @@ audioop_max(PyObject *self, PyObject *args)
328349

329350
if ( !PyArg_ParseTuple(args, "s#i:max", &cp, &len, &size) )
330351
return 0;
331-
if ( size != 1 && size != 2 && size != 4 ) {
332-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
333-
return 0;
334-
}
352+
if (!audioop_check_parameters(len, size))
353+
return NULL;
335354
for ( i=0; i<len; i+= size) {
336355
if ( size == 1 ) val = (int)*CHARP(cp, i);
337356
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -352,10 +371,8 @@ audioop_minmax(PyObject *self, PyObject *args)
352371

353372
if (!PyArg_ParseTuple(args, "s#i:minmax", &cp, &len, &size))
354373
return NULL;
355-
if (size != 1 && size != 2 && size != 4) {
356-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
374+
if (!audioop_check_parameters(len, size))
357375
return NULL;
358-
}
359376
for (i = 0; i < len; i += size) {
360377
if (size == 1) val = (int) *CHARP(cp, i);
361378
else if (size == 2) val = (int) *SHORTP(cp, i);
@@ -376,10 +393,8 @@ audioop_avg(PyObject *self, PyObject *args)
376393

377394
if ( !PyArg_ParseTuple(args, "s#i:avg", &cp, &len, &size) )
378395
return 0;
379-
if ( size != 1 && size != 2 && size != 4 ) {
380-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
381-
return 0;
382-
}
396+
if (!audioop_check_parameters(len, size))
397+
return NULL;
383398
for ( i=0; i<len; i+= size) {
384399
if ( size == 1 ) val = (int)*CHARP(cp, i);
385400
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -403,10 +418,8 @@ audioop_rms(PyObject *self, PyObject *args)
403418

404419
if ( !PyArg_ParseTuple(args, "s#i:rms", &cp, &len, &size) )
405420
return 0;
406-
if ( size != 1 && size != 2 && size != 4 ) {
407-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
408-
return 0;
409-
}
421+
if (!audioop_check_parameters(len, size))
422+
return NULL;
410423
for ( i=0; i<len; i+= size) {
411424
if ( size == 1 ) val = (int)*CHARP(cp, i);
412425
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
@@ -609,10 +622,8 @@ audioop_avgpp(PyObject *self, PyObject *args)
609622

610623
if ( !PyArg_ParseTuple(args, "s#i:avgpp", &cp, &len, &size) )
611624
return 0;
612-
if ( size != 1 && size != 2 && size != 4 ) {
613-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
614-
return 0;
615-
}
625+
if (!audioop_check_parameters(len, size))
626+
return NULL;
616627
/* Compute first delta value ahead. Also automatically makes us
617628
** skip the first extreme value
618629
*/
@@ -666,10 +677,8 @@ audioop_maxpp(PyObject *self, PyObject *args)
666677

667678
if ( !PyArg_ParseTuple(args, "s#i:maxpp", &cp, &len, &size) )
668679
return 0;
669-
if ( size != 1 && size != 2 && size != 4 ) {
670-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
671-
return 0;
672-
}
680+
if (!audioop_check_parameters(len, size))
681+
return NULL;
673682
/* Compute first delta value ahead. Also automatically makes us
674683
** skip the first extreme value
675684
*/
@@ -717,10 +726,8 @@ audioop_cross(PyObject *self, PyObject *args)
717726

718727
if ( !PyArg_ParseTuple(args, "s#i:cross", &cp, &len, &size) )
719728
return 0;
720-
if ( size != 1 && size != 2 && size != 4 ) {
721-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
722-
return 0;
723-
}
729+
if (!audioop_check_parameters(len, size))
730+
return NULL;
724731
ncross = -1;
725732
prevval = 17; /* Anything <> 0,1 */
726733
for ( i=0; i<len; i+= size) {
@@ -745,6 +752,8 @@ audioop_mul(PyObject *self, PyObject *args)
745752

746753
if ( !PyArg_ParseTuple(args, "s#id:mul", &cp, &len, &size, &factor ) )
747754
return 0;
755+
if (!audioop_check_parameters(len, size))
756+
return NULL;
748757

749758
if ( size == 1 ) maxval = (double) 0x7f;
750759
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -787,6 +796,12 @@ audioop_tomono(PyObject *self, PyObject *args)
787796
if ( !PyArg_ParseTuple(args, "s#idd:tomono",
788797
&cp, &len, &size, &fac1, &fac2 ) )
789798
return 0;
799+
if (!audioop_check_parameters(len, size))
800+
return NULL;
801+
if (((len / size) & 1) != 0) {
802+
PyErr_SetString(AudioopError, "not a whole number of frames");
803+
return NULL;
804+
}
790805

791806
if ( size == 1 ) maxval = (double) 0x7f;
792807
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -832,6 +847,8 @@ audioop_tostereo(PyObject *self, PyObject *args)
832847
if ( !PyArg_ParseTuple(args, "s#idd:tostereo",
833848
&cp, &len, &size, &fac1, &fac2 ) )
834849
return 0;
850+
if (!audioop_check_parameters(len, size))
851+
return NULL;
835852

836853
if ( size == 1 ) maxval = (double) 0x7f;
837854
else if ( size == 2 ) maxval = (double) 0x7fff;
@@ -890,7 +907,8 @@ audioop_add(PyObject *self, PyObject *args)
890907
if ( !PyArg_ParseTuple(args, "s#s#i:add",
891908
&cp1, &len1, &cp2, &len2, &size ) )
892909
return 0;
893-
910+
if (!audioop_check_parameters(len1, size))
911+
return NULL;
894912
if ( len1 != len2 ) {
895913
PyErr_SetString(AudioopError, "Lengths should be the same");
896914
return 0;
@@ -945,10 +963,8 @@ audioop_bias(PyObject *self, PyObject *args)
945963
&cp, &len, &size , &bias) )
946964
return 0;
947965

948-
if ( size != 1 && size != 2 && size != 4) {
949-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
950-
return 0;
951-
}
966+
if (!audioop_check_parameters(len, size))
967+
return NULL;
952968

953969
rv = PyString_FromStringAndSize(NULL, len);
954970
if ( rv == 0 )
@@ -981,10 +997,8 @@ audioop_reverse(PyObject *self, PyObject *args)
981997
&cp, &len, &size) )
982998
return 0;
983999

984-
if ( size != 1 && size != 2 && size != 4 ) {
985-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
986-
return 0;
987-
}
1000+
if (!audioop_check_parameters(len, size))
1001+
return NULL;
9881002

9891003
rv = PyString_FromStringAndSize(NULL, len);
9901004
if ( rv == 0 )
@@ -1018,11 +1032,10 @@ audioop_lin2lin(PyObject *self, PyObject *args)
10181032
&cp, &len, &size, &size2) )
10191033
return 0;
10201034

1021-
if ( (size != 1 && size != 2 && size != 4) ||
1022-
(size2 != 1 && size2 != 2 && size2 != 4)) {
1023-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1024-
return 0;
1025-
}
1035+
if (!audioop_check_parameters(len, size))
1036+
return NULL;
1037+
if (!audioop_check_size(size2))
1038+
return NULL;
10261039

10271040
if (len/size > INT_MAX/size2) {
10281041
PyErr_SetString(PyExc_MemoryError,
@@ -1072,10 +1085,8 @@ audioop_ratecv(PyObject *self, PyObject *args)
10721085
&nchannels, &inrate, &outrate, &state,
10731086
&weightA, &weightB))
10741087
return NULL;
1075-
if (size != 1 && size != 2 && size != 4) {
1076-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1088+
if (!audioop_check_size(size))
10771089
return NULL;
1078-
}
10791090
if (nchannels < 1) {
10801091
PyErr_SetString(AudioopError, "# of channels should be >= 1");
10811092
return NULL;
@@ -1252,10 +1263,8 @@ audioop_lin2ulaw(PyObject *self, PyObject *args)
12521263
&cp, &len, &size) )
12531264
return 0 ;
12541265

1255-
if ( size != 1 && size != 2 && size != 4) {
1256-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1257-
return 0;
1258-
}
1266+
if (!audioop_check_parameters(len, size))
1267+
return NULL;
12591268

12601269
rv = PyString_FromStringAndSize(NULL, len/size);
12611270
if ( rv == 0 )
@@ -1286,10 +1295,8 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
12861295
&cp, &len, &size) )
12871296
return 0;
12881297

1289-
if ( size != 1 && size != 2 && size != 4) {
1290-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1291-
return 0;
1292-
}
1298+
if (!audioop_check_parameters(len, size))
1299+
return NULL;
12931300

12941301
if (len > INT_MAX/size) {
12951302
PyErr_SetString(PyExc_MemoryError,
@@ -1325,10 +1332,8 @@ audioop_lin2alaw(PyObject *self, PyObject *args)
13251332
&cp, &len, &size) )
13261333
return 0;
13271334

1328-
if ( size != 1 && size != 2 && size != 4) {
1329-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1330-
return 0;
1331-
}
1335+
if (!audioop_check_parameters(len, size))
1336+
return NULL;
13321337

13331338
rv = PyString_FromStringAndSize(NULL, len/size);
13341339
if ( rv == 0 )
@@ -1359,10 +1364,8 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
13591364
&cp, &len, &size) )
13601365
return 0;
13611366

1362-
if ( size != 1 && size != 2 && size != 4) {
1363-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1364-
return 0;
1365-
}
1367+
if (!audioop_check_parameters(len, size))
1368+
return NULL;
13661369

13671370
if (len > INT_MAX/size) {
13681371
PyErr_SetString(PyExc_MemoryError,
@@ -1399,12 +1402,9 @@ audioop_lin2adpcm(PyObject *self, PyObject *args)
13991402
&cp, &len, &size, &state) )
14001403
return 0;
14011404

1405+
if (!audioop_check_parameters(len, size))
1406+
return NULL;
14021407

1403-
if ( size != 1 && size != 2 && size != 4) {
1404-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1405-
return 0;
1406-
}
1407-
14081408
str = PyString_FromStringAndSize(NULL, len/(size*2));
14091409
if ( str == 0 )
14101410
return 0;
@@ -1507,10 +1507,8 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
15071507
&cp, &len, &size, &state) )
15081508
return 0;
15091509

1510-
if ( size != 1 && size != 2 && size != 4) {
1511-
PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
1512-
return 0;
1513-
}
1510+
if (!audioop_check_parameters(len, size))
1511+
return NULL;
15141512

15151513
/* Decode state, should have (value, step) */
15161514
if ( state == Py_None ) {

0 commit comments

Comments
 (0)