kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-04-22 19:29:54 +00:00
Code Issues Projects Releases Wiki Activity

Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_headers_check fixed (FS-8757)

Browse Source
This commit is contained in:
Thomas Weber 2016-01-19 14:50:38 +01:00 committed by Anthony Minessale
parent 1b9fda720a
commit 346e044daf
2 changed files with 32 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/switch_channel.c
View File

@ -3883,6 +3883,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
p++; p++;
continue; continue;
} else if (*(p + 1) == '\\') { } else if (*(p + 1) == '\\') {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p++; *c++ = *p++;
len++; len++;
continue; continue;
@ -3908,6 +3912,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
} }
if (nv) { if (nv) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
nv = 0; nv = 0;
@ -4103,11 +4111,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
vname = NULL; vname = NULL;
br = 0; br = 0;
} }
if (sp) {
if (len + 1 >= olen) { if (len + 1 >= olen) {
resize(1); resize(1);
} }
if (sp) {
*c++ = ' '; *c++ = ' ';
sp = 0; sp = 0;
len++; len++;
@ -4116,6 +4125,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
if (*p == '$') { if (*p == '$') {
p--; p--;
} else { } else {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
} }

15
src/switch_event.c
View File

@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
p++; p++;
continue; continue;
} else if (*(p + 1) == '\\') { } else if (*(p + 1) == '\\') {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p++; *c++ = *p++;
len++; len++;
continue; continue;
@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
} }
if (nv) { if (nv) {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
nv = 0; nv = 0;
@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
vtype = 0; vtype = 0;
br = 0; br = 0;
} }
if (sp) {
if (len + 1 >= olen) { if (len + 1 >= olen) {
resize(1); resize(1);
} }
if (sp) {
*c++ = ' '; *c++ = ' ';
sp = 0; sp = 0;
len++; len++;
@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
if (*p == '$') { if (*p == '$') {
p--; p--;
} else { } else {
if (len + 1 >= olen) {
resize(1);
}
*c++ = *p; *c++ = *p;
len++; len++;
} }