--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/Python26-22-audio.diff Tue Nov 29 17:32:55 2011 +0000
@@ -0,0 +1,203 @@
+--- a/Modules/audioop.c 2011-09-25 05:24:35.789815000 +0100
++++ b/Modules/audioop.c 2011-09-25 06:55:35.782359000 +0100
+@@ -829,7 +829,7 @@
+ audioop_tostereo(PyObject *self, PyObject *args)
+ {
+ signed char *cp, *ncp;
+- int len, new_len, size, val1, val2, val = 0;
++ int len, size, val1, val2, val = 0;
+ double fac1, fac2, fval, maxval;
+ PyObject *rv;
+ int i;
+@@ -846,14 +846,13 @@
+ return 0;
+ }
+
+- new_len = len*2;
+- if (new_len < 0) {
++ if (len > INT_MAX/2) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+
+- rv = PyString_FromStringAndSize(NULL, new_len);
++ rv = PyString_FromStringAndSize(NULL, len*2);
+ if ( rv == 0 )
+ return 0;
+ ncp = (signed char *)PyString_AsString(rv);
+@@ -1016,7 +1015,7 @@
+ {
+ signed char *cp;
+ unsigned char *ncp;
+- int len, new_len, size, size2, val = 0;
++ int len, size, size2, val = 0;
+ PyObject *rv;
+ int i, j;
+
+@@ -1030,13 +1029,12 @@
+ return 0;
+ }
+
+- new_len = (len/size)*size2;
+- if (new_len < 0) {
++ if (len/size > INT_MAX/size2) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+- rv = PyString_FromStringAndSize(NULL, new_len);
++ rv = PyString_FromStringAndSize(NULL, (len/size)*size2);
+ if ( rv == 0 )
+ return 0;
+ ncp = (unsigned char *)PyString_AsString(rv);
+@@ -1072,7 +1070,6 @@
+ int chan, d, *prev_i, *cur_i, cur_o;
+ PyObject *state, *samps, *str, *rv = NULL;
+ int bytes_per_frame;
+- size_t alloc_size;
+
+ weightA = 1;
+ weightB = 0;
+@@ -1115,14 +1112,13 @@
+ inrate /= d;
+ outrate /= d;
+
+- alloc_size = sizeof(int) * (unsigned)nchannels;
+- if (alloc_size < nchannels) {
++ if ((size_t)nchannels > PY_SIZE_MAX/sizeof(int)) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+- prev_i = (int *) malloc(alloc_size);
+- cur_i = (int *) malloc(alloc_size);
++ prev_i = (int *) malloc(nchannels * sizeof(int));
++ cur_i = (int *) malloc(nchannels * sizeof(int));
+ if (prev_i == NULL || cur_i == NULL) {
+ (void) PyErr_NoMemory();
+ goto exit;
+@@ -1160,24 +1156,11 @@
+ requires bytes_per_frame bytes. Computing this
+ without spurious overflow is the challenge; we can
+ settle for a reasonable upper bound, though. */
+- int ceiling; /* the number of output frames */
+- int nbytes; /* the number of output bytes needed */
+- int q = len / inrate;
+- /* Now len = q * inrate + r exactly (with r = len % inrate),
+- and this is less than q * inrate + inrate = (q+1)*inrate.
+- So a reasonable upper bound on len*outrate/inrate is
+- ((q+1)*inrate)*outrate/inrate =
+- (q+1)*outrate.
+- */
+- ceiling = (q+1) * outrate;
+- nbytes = ceiling * bytes_per_frame;
+- /* See whether anything overflowed; if not, get the space. */
+- if (q+1 < 0 ||
+- ceiling / outrate != q+1 ||
+- nbytes / bytes_per_frame != ceiling)
++ int q = len > 0 ? 1 + (len - 1) / inrate : 0;
++ if (outrate > INT_MAX / q / bytes_per_frame)
+ str = NULL;
+ else
+- str = PyString_FromStringAndSize(NULL, nbytes);
++ str = PyString_FromStringAndSize(NULL, q * outrate * bytes_per_frame);
+
+ if (str == NULL) {
+ PyErr_SetString(PyExc_MemoryError,
+@@ -1296,7 +1279,7 @@
+ unsigned char *cp;
+ unsigned char cval;
+ signed char *ncp;
+- int len, new_len, size, val;
++ int len, size, val;
+ PyObject *rv;
+ int i;
+
+@@ -1309,18 +1292,17 @@
+ return 0;
+ }
+
+- new_len = len*size;
+- if (new_len < 0) {
++ if (len > INT_MAX/size) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+- rv = PyString_FromStringAndSize(NULL, new_len);
++ rv = PyString_FromStringAndSize(NULL, len*size);
+ if ( rv == 0 )
+ return 0;
+ ncp = (signed char *)PyString_AsString(rv);
+
+- for ( i=0; i < new_len; i += size ) {
++ for ( i=0; i < len*size; i += size ) {
+ cval = *cp++;
+ val = st_ulaw2linear16(cval);
+
+@@ -1370,7 +1352,7 @@
+ unsigned char *cp;
+ unsigned char cval;
+ signed char *ncp;
+- int len, new_len, size, val;
++ int len, size, val;
+ PyObject *rv;
+ int i;
+
+@@ -1383,18 +1365,17 @@
+ return 0;
+ }
+
+- new_len = len*size;
+- if (new_len < 0) {
++ if (len > INT_MAX/size) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+- rv = PyString_FromStringAndSize(NULL, new_len);
++ rv = PyString_FromStringAndSize(NULL, len*size);
+ if ( rv == 0 )
+ return 0;
+ ncp = (signed char *)PyString_AsString(rv);
+
+- for ( i=0; i < new_len; i += size ) {
++ for ( i=0; i < len*size; i += size ) {
+ cval = *cp++;
+ val = st_alaw2linear16(cval);
+
+@@ -1519,7 +1500,7 @@
+ {
+ signed char *cp;
+ signed char *ncp;
+- int len, new_len, size, valpred, step, delta, index, sign, vpdiff;
++ int len, size, valpred, step, delta, index, sign, vpdiff;
+ PyObject *rv, *str, *state;
+ int i, inputbuffer = 0, bufferstep;
+
+@@ -1541,13 +1522,12 @@
+ } else if ( !PyArg_ParseTuple(state, "ii", &valpred, &index) )
+ return 0;
+
+- new_len = len*size*2;
+- if (new_len < 0) {
++ if (len > (INT_MAX/2)/size) {
+ PyErr_SetString(PyExc_MemoryError,
+ "not enough memory for output buffer");
+ return 0;
+ }
+- str = PyString_FromStringAndSize(NULL, new_len);
++ str = PyString_FromStringAndSize(NULL, len*size*2);
+ if ( str == 0 )
+ return 0;
+ ncp = (signed char *)PyString_AsString(str);
+@@ -1555,7 +1535,7 @@
+ step = stepsizeTable[index];
+ bufferstep = 0;
+
+- for ( i=0; i < new_len; i += size ) {
++ for ( i=0; i < len*size*2; i += size ) {
+ /* Step 1 - get the delta value and compute next index */
+ if ( bufferstep ) {
+ delta = inputbuffer & 0xf;