alp_ReadFrames() integer overflow leads to buffer overflow

[jnferguson]

BPO	2593
Nosy	@bitdancer

^{Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.}

Show more details

GitHub fields:

assignee = None
closed_at = <Date 2009-03-29.14:00:05.223>
created_at = <Date 2008-04-08.16:18:28.607>
labels = ['type-security', 'extension-modules']
title = 'alp_ReadFrames() integer overflow leads to buffer overflow'
updated_at = <Date 2009-03-29.14:00:05.136>
user = 'https://bugs.python.org/jnferguson'

bugs.python.org fields:

activity = <Date 2009-03-29.14:00:05.136>
actor = 'r.david.murray'
assignee = 'none'
closed = True
closed_date = <Date 2009-03-29.14:00:05.223>
closer = 'r.david.murray'
components = ['Extension Modules']
creation = <Date 2008-04-08.16:18:28.607>
creator = 'jnferguson'
dependencies = []
files = []
hgrepos = []
issue_num = 2593
keywords = []
message_count = 2.0
messages = ['65183', '84398']
nosy_count = 2.0
nosy_names = ['jnferguson', 'r.david.murray']
pr_nums = []
priority = 'normal'
resolution = 'wont fix'
stage = 'resolved'
status = 'closed'
superseder = None
type = 'security'
url = 'https://bugs.python.org/issue2593'
versions = ['Python 2.5']

[jnferguson]

Please see bug 2591 for a suggestion on what to do with these SGI modules.
(sorry I don't have any pocs/repros I dont have an sgi box handy atm)

Integer overflow/invalid allocation at 768, write to memory at 773

716 static PyObject *
717 alp_ReadFrames(alpobject *self, PyObject *args)
718 {
719 int framecount;
720 PyObject *v;
721 int size;
722 int ch;
723 ALconfig c;
724
725 if (!PyArg_ParseTuple(args, "i:ReadFrames", &framecount))
726 return NULL;
727 if (framecount < 0) {
728 PyErr_SetString(ErrorObject, "negative framecount");
729 return NULL;
730 }
[...] 732 switch (alGetSampFmt(c)) {
733 case AL_SAMPFMT_TWOSCOMP:
734 switch (alGetWidth(c)) {
735 case AL_SAMPLE_8:
736 size = 1;
737 break;
738 case AL_SAMPLE_16:
739 size = 2;
740 break;
741 case AL_SAMPLE_24:
742 size = 4;
743 break;
744 default:
745 PyErr_SetString(ErrorObject, "can't
determine width");
746 alFreeConfig(c);
747 return NULL;
748 }
749 break;
750 case AL_SAMPFMT_FLOAT:
751 size = 4;
752 break;
753 case AL_SAMPFMT_DOUBLE:
754 size = 8;
755 break;
756 default:
757 PyErr_SetString(ErrorObject, "can't determine format");
758 alFreeConfig(c);
759 return NULL;
760 }
761 ch = alGetChannels(c);
762 alFreeConfig(c);
763 if (ch < 0) {
764 PyErr_SetString(ErrorObject, "can't determine # of
channels");
765 return NULL;
766 }
767 size *= ch;
768 v = PyString_FromStringAndSize((char *) NULL, size *
framecount);
769 if (v == NULL)
770 return NULL;
771
[...]
773 alReadFrames(self->port, (void *) PyString_AS_STRING(v),
framecount);

[bitdancer]

Closed per comments in bpo-2591.