Issue #13806: The size check in audioop decompression functions was too strict and could reject valid compressed data.

Patch by Oleg Plakhotnyuk.
author: Antoine Pitrou <solipsis@pitrou.net> 2012-01-28 22:01:59 +0100
committer: Antoine Pitrou <solipsis@pitrou.net> 2012-01-28 22:01:59 +0100
commit: 88c51e8cb12002404b9b1050831bf317a786d6e9 (patch)
tree: 9aa85fdae032afa049a23b3be9b16492ba8aa029
parent: 1abe6cd84245322883982cb7c5e3f9d754ea3171 (diff)
download: cpython-git-88c51e8cb12002404b9b1050831bf317a786d6e9.tar.gz
3 files changed, 25 insertions, 9 deletions
diff --git a/Lib/test/test_audioop.py b/Lib/test/test_audioop.py
index e03ceb5b14..b065bc2e55 100644
--- a/Lib/test/test_audioop.py
+++ b/Lib/test/test_audioop.py
@@ -21,9 +21,9 @@ def gendata4():
 data = [gendata1(), gendata2(), gendata4()]
 
 INVALID_DATA = [
-    ('abc', 0),
-    ('abc', 2),
-    ('abc', 4),
+    (b'abc', 0),
+    (b'abc', 2),
+    (b'abc', 4),
 ]
 
 
@@ -94,7 +94,9 @@ class TestAudioop(unittest.TestCase):
 
     def test_adpcm2lin(self):
         # Very cursory test
-        self.assertEqual(audioop.adpcm2lin('\0\0', 1, None), ('\0\0\0\0', (0,0)))
+        self.assertEqual(audioop.adpcm2lin(b'\0\0', 1, None), (b'\0' * 4, (0,0)))
+        self.assertEqual(audioop.adpcm2lin(b'\0\0', 2, None), (b'\0' * 8, (0,0)))
+        self.assertEqual(audioop.adpcm2lin(b'\0\0', 4, None), (b'\0' * 16, (0,0)))
 
     def test_lin2adpcm(self):
         # Very cursory test
@@ -109,6 +111,9 @@ class TestAudioop(unittest.TestCase):
         # Cursory
         d = audioop.lin2alaw(data[0], 1)
         self.assertEqual(audioop.alaw2lin(d, 1), data[0])
+        self.assertEqual(audioop.alaw2lin(d, 2), b'\x08\x00\x08\x01\x10\x02')
+        self.assertEqual(audioop.alaw2lin(d, 4),
+            b'\x00\x00\x08\x00\x00\x00\x08\x01\x00\x00\x10\x02')
 
     def test_lin2ulaw(self):
         self.assertEqual(audioop.lin2ulaw(data[0], 1), '\xff\xe7\xdb')
@@ -119,6 +124,9 @@ class TestAudioop(unittest.TestCase):
         # Cursory
         d = audioop.lin2ulaw(data[0], 1)
         self.assertEqual(audioop.ulaw2lin(d, 1), data[0])
+        self.assertEqual(audioop.ulaw2lin(d, 2), b'\x00\x00\x04\x01\x0c\x02')
+        self.assertEqual(audioop.ulaw2lin(d, 4),
+            b'\x00\x00\x00\x00\x00\x00\x04\x01\x00\x00\x0c\x02')
 
     def test_mul(self):
         data2 = []
@@ -193,10 +201,15 @@ class TestAudioop(unittest.TestCase):
             self.assertRaises(audioop.error, audioop.lin2lin, data, size, size2)
             self.assertRaises(audioop.error, audioop.ratecv, data, size, 1, 1, 1, state)
             self.assertRaises(audioop.error, audioop.lin2ulaw, data, size)
-            self.assertRaises(audioop.error, audioop.ulaw2lin, data, size)
             self.assertRaises(audioop.error, audioop.lin2alaw, data, size)
-            self.assertRaises(audioop.error, audioop.alaw2lin, data, size)
             self.assertRaises(audioop.error, audioop.lin2adpcm, data, size, state)
+
+    def test_wrongsize(self):
+        data = b'abc'
+        state = None
+        for size in (-1, 3, 5):
+            self.assertRaises(audioop.error, audioop.ulaw2lin, data, size)
+            self.assertRaises(audioop.error, audioop.alaw2lin, data, size)
             self.assertRaises(audioop.error, audioop.adpcm2lin, data, size, state)
 
 def test_main():
diff --git a/Misc/NEWS b/Misc/NEWS
index 7b3bebce36..1c6b66f955 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -90,6 +90,9 @@ Core and Builtins
 Library
 -------
 
+- Issue #13806: The size check in audioop decompression functions was too
+  strict and could reject valid compressed data.  Patch by Oleg Plakhotnyuk.
+
 - Issue #13885: CVE-2011-3389: the _ssl module would always disable the CBC
   IV attack countermeasure.
 
diff --git a/Modules/audioop.c b/Modules/audioop.c
index fb69ed38d6..fc79cf52b2 100644
--- a/Modules/audioop.c
+++ b/Modules/audioop.c
@@ -1298,7 +1298,7 @@ audioop_ulaw2lin(PyObject *self, PyObject *args)
                            &cp, &len, &size) )
         return 0;
 
-    if (!audioop_check_parameters(len, size))
+    if (!audioop_check_size(size))
         return NULL;
 
     if (len > INT_MAX/size) {
@@ -1367,7 +1367,7 @@ audioop_alaw2lin(PyObject *self, PyObject *args)
                            &cp, &len, &size) )
         return 0;
 
-    if (!audioop_check_parameters(len, size))
+    if (!audioop_check_size(size))
         return NULL;
 
     if (len > INT_MAX/size) {
@@ -1509,7 +1509,7 @@ audioop_adpcm2lin(PyObject *self, PyObject *args)
                            &cp, &len, &size, &state) )
         return 0;
 
-    if (!audioop_check_parameters(len, size))
+    if (!audioop_check_size(size))
         return NULL;
 
     /* Decode state, should have (value, step) */
author	Antoine Pitrou <solipsis@pitrou.net>	2012-01-28 22:01:59 +0100
committer	Antoine Pitrou <solipsis@pitrou.net>	2012-01-28 22:01:59 +0100
commit	88c51e8cb12002404b9b1050831bf317a786d6e9 (patch)
tree	9aa85fdae032afa049a23b3be9b16492ba8aa029
parent	1abe6cd84245322883982cb7c5e3f9d754ea3171 (diff)
download	cpython-git-88c51e8cb12002404b9b1050831bf317a786d6e9.tar.gz