|
 |
94e8505 |
From ddc63ebe9b52c0ab4ba033301e70fac89f610704 Mon Sep 17 00:00:00 2001
|
|
|
94e8505 |
From: Victor Stinner <victor.stinner@haypocalc.com>
|
|
|
94e8505 |
Date: Sun, 10 Jan 2010 21:10:01 +0100
|
|
|
94e8505 |
Subject: [PATCH] audioop: check that length is a multiple the size
|
|
|
94e8505 |
|
|
|
94e8505 |
Most functions of audioop takes as input a byte string (audio data) and a size
|
|
|
94e8505 |
argument (number of bytes of a sample). Functions don't check that the byte
|
|
|
94e8505 |
string length is a multiple of the size. It leads to read and write from/to
|
|
|
94e8505 |
uninitialised memory and might crash.
|
|
|
94e8505 |
|
|
|
94e8505 |
Example on writing into uninitilized memory:
|
|
|
94e8505 |
|
|
|
94e8505 |
$ python -c "import audioop; audioop.reverse('X', 2)"
|
|
|
94e8505 |
Fatal Python error: Inconsistent interned string state.
|
|
|
94e8505 |
Abandon
|
|
|
94e8505 |
|
|
|
94e8505 |
It allocates a string of 1 byte and write 2 bytes into this string => memory
|
|
|
94e8505 |
corruption.
|
|
|
94e8505 |
|
|
|
94e8505 |
Attached patch creates audioop_check_size() and audioop_check_parameters()
|
|
|
94e8505 |
functions.
|
|
|
94e8505 |
---
|
|
|
94e8505 |
Modules/audioop.c | 153 ++++++++++++++++++++++++----------------------------
|
|
|
94e8505 |
1 files changed, 71 insertions(+), 82 deletions(-)
|
|
|
94e8505 |
|
|
|
94e8505 |
diff --git a/Modules/audioop.c b/Modules/audioop.c
|
|
|
94e8505 |
index 42daf9b..ebb992a 100644
|
|
|
94e8505 |
--- a/Modules/audioop.c
|
|
|
94e8505 |
+++ b/Modules/audioop.c
|
|
|
94e8505 |
@@ -295,6 +295,29 @@ static int stepsizeTable[89] = {
|
|
|
94e8505 |
|
|
|
94e8505 |
static PyObject *AudioopError;
|
|
|
94e8505 |
|
|
|
94e8505 |
+static int
|
|
|
94e8505 |
+audioop_check_size(int size)
|
|
|
94e8505 |
+{
|
|
|
94e8505 |
+ if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
+ PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
+ return 0;
|
|
|
94e8505 |
+ } else {
|
|
|
94e8505 |
+ return 1;
|
|
|
94e8505 |
+ }
|
|
|
94e8505 |
+}
|
|
|
94e8505 |
+
|
|
|
94e8505 |
+static int
|
|
|
94e8505 |
+audioop_check_parameters(int len, int size)
|
|
|
94e8505 |
+{
|
|
|
94e8505 |
+ if (!audioop_check_size(size))
|
|
|
94e8505 |
+ return 0;
|
|
|
94e8505 |
+ if ( len % size != 0 ) {
|
|
|
94e8505 |
+ PyErr_SetString(AudioopError, "not a whole number of frames");
|
|
|
94e8505 |
+ return 0;
|
|
|
94e8505 |
+ }
|
|
|
94e8505 |
+ return 1;
|
|
|
94e8505 |
+}
|
|
|
94e8505 |
+
|
|
|
94e8505 |
static PyObject *
|
|
|
94e8505 |
audioop_getsample(PyObject *self, PyObject *args)
|
|
|
94e8505 |
{
|
|
|
94e8505 |
@@ -304,10 +327,8 @@ audioop_getsample(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#ii:getsample", &cp, &len, &size, &i) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
if ( i < 0 || i >= len/size ) {
|
|
|
94e8505 |
PyErr_SetString(AudioopError, "Index out of range");
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
@@ -328,10 +349,8 @@ audioop_max(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:max", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
for ( i=0; i
|
|
|
94e8505 |
if ( size == 1 ) val = (int)*CHARP(cp, i);
|
|
|
94e8505 |
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
|
|
|
94e8505 |
@@ -352,10 +371,8 @@ audioop_minmax(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if (!PyArg_ParseTuple(args, "s#i:minmax", &cp, &len, &size))
|
|
|
94e8505 |
return NULL;
|
|
|
94e8505 |
- if (size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
return NULL;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
for (i = 0; i < len; i += size) {
|
|
|
94e8505 |
if (size == 1) val = (int) *CHARP(cp, i);
|
|
|
94e8505 |
else if (size == 2) val = (int) *SHORTP(cp, i);
|
|
|
94e8505 |
@@ -376,10 +393,8 @@ audioop_avg(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:avg", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
for ( i=0; i
|
|
|
94e8505 |
if ( size == 1 ) val = (int)*CHARP(cp, i);
|
|
|
94e8505 |
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
|
|
|
94e8505 |
@@ -403,10 +418,8 @@ audioop_rms(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:rms", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
for ( i=0; i
|
|
|
94e8505 |
if ( size == 1 ) val = (int)*CHARP(cp, i);
|
|
|
94e8505 |
else if ( size == 2 ) val = (int)*SHORTP(cp, i);
|
|
|
94e8505 |
@@ -614,10 +627,8 @@ audioop_avgpp(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:avgpp", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
/* Compute first delta value ahead. Also automatically makes us
|
|
|
94e8505 |
** skip the first extreme value
|
|
|
94e8505 |
*/
|
|
|
94e8505 |
@@ -671,10 +682,8 @@ audioop_maxpp(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:maxpp", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
/* Compute first delta value ahead. Also automatically makes us
|
|
|
94e8505 |
** skip the first extreme value
|
|
|
94e8505 |
*/
|
|
|
94e8505 |
@@ -722,10 +731,8 @@ audioop_cross(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:cross", &cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
ncross = -1;
|
|
|
94e8505 |
prevval = 17; /* Anything <> 0,1 */
|
|
|
94e8505 |
for ( i=0; i
|
|
|
94e8505 |
@@ -750,6 +757,8 @@ audioop_mul(PyObject *self, PyObject *args)
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#id:mul", &cp, &len, &size, &factor ) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( size == 1 ) maxval = (double) 0x7f;
|
|
|
94e8505 |
else if ( size == 2 ) maxval = (double) 0x7fff;
|
|
|
94e8505 |
@@ -792,6 +801,12 @@ audioop_tomono(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#idd:tomono",
|
|
|
94e8505 |
&cp, &len, &size, &fac1, &fac2 ) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
+ if ( ((len / size) & 1) != 0 ) {
|
|
|
94e8505 |
+ PyErr_SetString(AudioopError, "not a whole number of frames");
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
+ }
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( size == 1 ) maxval = (double) 0x7f;
|
|
|
94e8505 |
else if ( size == 2 ) maxval = (double) 0x7fff;
|
|
|
94e8505 |
@@ -837,6 +852,8 @@ audioop_tostereo(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#idd:tostereo",
|
|
|
94e8505 |
&cp, &len, &size, &fac1, &fac2 ) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
if ( size == 1 ) maxval = (double) 0x7f;
|
|
|
94e8505 |
else if ( size == 2 ) maxval = (double) 0x7fff;
|
|
|
94e8505 |
@@ -896,7 +913,8 @@ audioop_add(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#s#i:add",
|
|
|
94e8505 |
&cp1, &len1, &cp2, &len2, &size ) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len1, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
if ( len1 != len2 ) {
|
|
|
94e8505 |
PyErr_SetString(AudioopError, "Lengths should be the same");
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
@@ -950,11 +968,8 @@ audioop_bias(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#ii:bias",
|
|
|
94e8505 |
&cp, &len, &size , &bias) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
rv = PyString_FromStringAndSize(NULL, len);
|
|
|
94e8505 |
if ( rv == 0 )
|
|
|
94e8505 |
@@ -986,12 +1001,9 @@ audioop_reverse(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:reverse",
|
|
|
94e8505 |
&cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4 ) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
-
|
|
|
94e8505 |
rv = PyString_FromStringAndSize(NULL, len);
|
|
|
94e8505 |
if ( rv == 0 )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
@@ -1023,12 +1035,10 @@ audioop_lin2lin(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#ii:lin2lin",
|
|
|
94e8505 |
&cp, &len, &size, &size2) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( (size != 1 && size != 2 && size != 4) ||
|
|
|
94e8505 |
- (size2 != 1 && size2 != 2 && size2 != 4)) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
+ if (!audioop_check_size(size2))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
new_len = (len/size)*size2;
|
|
|
94e8505 |
if (new_len < 0) {
|
|
|
94e8505 |
@@ -1080,10 +1090,8 @@ audioop_ratecv(PyObject *self, PyObject *args)
|
|
|
94e8505 |
&nchannels, &inrate, &outrate, &state,
|
|
|
94e8505 |
&weightA, &weightB))
|
|
|
94e8505 |
return NULL;
|
|
|
94e8505 |
- if (size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
+ if (!audioop_check_size(size))
|
|
|
94e8505 |
return NULL;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
if (nchannels < 1) {
|
|
|
94e8505 |
PyErr_SetString(AudioopError, "# of channels should be >= 1");
|
|
|
94e8505 |
return NULL;
|
|
|
94e8505 |
@@ -1269,11 +1277,8 @@ audioop_lin2ulaw(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:lin2ulaw",
|
|
|
94e8505 |
&cp, &len, &size) )
|
|
|
94e8505 |
return 0 ;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
rv = PyString_FromStringAndSize(NULL, len/size);
|
|
|
94e8505 |
if ( rv == 0 )
|
|
|
94e8505 |
@@ -1303,11 +1308,8 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:ulaw2lin",
|
|
|
94e8505 |
&cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_size(size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
new_len = len*size;
|
|
|
94e8505 |
if (new_len < 0) {
|
|
|
94e8505 |
@@ -1343,11 +1345,8 @@ audioop_lin2alaw(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:lin2alaw",
|
|
|
94e8505 |
&cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
rv = PyString_FromStringAndSize(NULL, len/size);
|
|
|
94e8505 |
if ( rv == 0 )
|
|
|
94e8505 |
@@ -1377,11 +1376,8 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#i:alaw2lin",
|
|
|
94e8505 |
&cp, &len, &size) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_size(size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
new_len = len*size;
|
|
|
94e8505 |
if (new_len < 0) {
|
|
|
94e8505 |
@@ -1418,12 +1414,8 @@ audioop_lin2adpcm(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#iO:lin2adpcm",
|
|
|
94e8505 |
&cp, &len, &size, &state) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_parameters(len, size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
str = PyString_FromStringAndSize(NULL, len/(size*2));
|
|
|
94e8505 |
if ( str == 0 )
|
|
|
94e8505 |
@@ -1526,11 +1518,8 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
|
|
|
94e8505 |
if ( !PyArg_ParseTuple(args, "s#iO:adpcm2lin",
|
|
|
94e8505 |
&cp, &len, &size, &state) )
|
|
|
94e8505 |
return 0;
|
|
|
94e8505 |
-
|
|
|
94e8505 |
- if ( size != 1 && size != 2 && size != 4) {
|
|
|
94e8505 |
- PyErr_SetString(AudioopError, "Size should be 1, 2 or 4");
|
|
|
94e8505 |
- return 0;
|
|
|
94e8505 |
- }
|
|
|
94e8505 |
+ if (!audioop_check_size(size))
|
|
|
94e8505 |
+ return NULL;
|
|
|
94e8505 |
|
|
|
94e8505 |
/* Decode state, should have (value, step) */
|
|
|
94e8505 |
if ( state == Py_None ) {
|
|
|
94e8505 |
--
|
|
|
94e8505 |
1.6.0.4
|
|
|
94e8505 |
|