[asterisk-bugs] [Asterisk 0013299]: asterisk crashes when SPRINTF function has too few arguments

Asterisk Bug Tracker noreply at bugs.digium.com
Wed Aug 13 12:18:51 CDT 2008 

The following issue is now READY FOR TESTING. 
====================================================================== 
http://bugs.digium.com/view.php?id=13299 
====================================================================== 
Reported By:                adomjan
Assigned To:                Corydon76
====================================================================== 
Project:                    Asterisk
Issue ID:                   13299
Category:                   Functions/General
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     ready for testing
Asterisk Version:           SVN 
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.0 
SVN Revision (number only!): 137350 
Disclaimer on File?:        N/A 
Request Review:              
====================================================================== 
Date Submitted:             2008-08-13 09:47 CDT
Last Modified:              2008-08-13 12:18 CDT
====================================================================== 
Summary:                    asterisk crashes when SPRINTF function has too few
arguments
Description: 
reproduce:
Set(num=5)
Set(string="a%ib%ic%id")
NoOP(${SPRINTF("${string}",${num},${num})})

crash:
==27040== 
==27040== Thread 30:
==27040== Invalid read of size 1
==27040==    at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040==    by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040==    by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040==    by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040==    by 0xF2C95BA: ??? (func_strings.c:499)
==27040==    by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040==    by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040==    by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040==    by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040==    by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040==    by 0x4D8C8B: dummy_start (utils.c:917)
==27040==    by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27040== 
==27040== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==27040==  Access not within mapped region at address 0x0
==27040==    at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040==    by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040==    by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040==    by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040==    by 0xF2C95BA: ??? (func_strings.c:499)
==27040==    by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040==    by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040==    by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040==    by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040==    by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040==    by 0x4D8C8B: dummy_start (utils.c:917)
==27040==    by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040== 

====================================================================== 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-08-13 12:18 Corydon76      Status                   assigned => ready for
testing
======================================================================

More information about the asterisk-bugs mailing list