Issue 2594: alp_readsamps() overflow leads to memory corruption in ?unused? SGI extension module almodule.c (original) (raw)

You guys should probably just remove the SGI modules, the code looks like it hasn't been touched in some time and hasn't gone through the same security checks as other pieces of code. Sorry I have no repro's/pocs, I don't have an irix box either though ;]

integer overflow/misallocation occurs at 1071, write to bad memory at 1076

1042 alp_readsamps(alpobject *self, PyObject *args) 1043 { 1044 long count; 1045 PyObject v; 1046 ALconfig c; 1047 int width; 1048 int ret; 1049 1050 if (!PyArg_ParseTuple(args, "l:readsamps", &count)) 1051 return NULL; 1052 1053 if (count <= 0) { 1054 PyErr_SetString(ErrorObject, "al.readsamps : arg <= 0"); 1055 return NULL; 1056 } 1057 1058 c = ALgetconfig(self->port); 1059 #ifdef AL_405 1060 width = ALgetsampfmt(c); 1061 if (width == AL_SAMPFMT_FLOAT) 1062 width = sizeof(float); 1063 else if (width == AL_SAMPFMT_DOUBLE) 1064 width = sizeof(double); 1065 else 1066 width = ALgetwidth(c); 1067 #else 1068 width = ALgetwidth(c); 1069 #endif / AL_405 */ 1070 ALfreeconfig(c); 1071 v = PyString_FromStringAndSize((char *)NULL, width * count); 1072 if (v == NULL) 1073 return NULL; 1074 1075 Py_BEGIN_ALLOW_THREADS 1076 ret = ALreadsamps(self->port, (void *) PyString_AsString(v), count); 1077 Py_END_ALLOW_THREADS 1078 if (ret == -1) { 1079 Py_DECREF(v); 1080 return NULL; 1081 } 1082 1083 return (v); 1084 }