[asterisk-bugs] [Asterisk 0013299]: [patch] asterisk crashes when SPRINTF function has too few arguments
Asterisk Bug Tracker
noreply at bugs.digium.com
Thu Aug 14 03:38:52 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13299
======================================================================
Reported By: adomjan
Assigned To: Corydon76
======================================================================
Project: Asterisk
Issue ID: 13299
Category: Functions/General
Reproducibility: always
Severity: crash
Priority: normal
Status: ready for testing
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.0
SVN Revision (number only!): 137350
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-08-13 09:47 CDT
Last Modified: 2008-08-14 03:38 CDT
======================================================================
Summary: [patch] asterisk crashes when SPRINTF function has
too few arguments
Description:
reproduce:
Set(num=5)
Set(string="a%ib%ic%id")
NoOP(${SPRINTF("${string}",${num},${num})})
crash:
==27040==
==27040== Thread 30:
==27040== Invalid read of size 1
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27040==
==27040== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==27040== Access not within mapped region at address 0x0
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040==
======================================================================
----------------------------------------------------------------------
(0091401) adomjan (reporter) - 2008-08-14 03:38
http://bugs.digium.com/view.php?id=13299#c91401
----------------------------------------------------------------------
I found another bug in SPRINTF, in some cases returns longer string than
expected:
dialplan (ael):
i=1;
vars="route_%i_skbk,route_%i_name,route_%i_metric";
NoOP(${SPRINTF("${vars}",${i},${i},${i})});
the result:
[Aug 14 10:41:33] -- Executing [5238 at test-nums:3]
Set("SIP/teszt-3622622222-095eada0", "i=1") in new stack
[Aug 14 10:41:33] -- Executing [5238 at test-nums:4]
Set("SIP/teszt-3622622222-095eada0",
"vars="route_%i_skbk,route_%i_name,route_%i_metric"") in new stack
[Aug 14 10:41:33] -- Executing [5238 at test-nums:5]
NoOp("SIP/teszt-3622622222-095eada0",
"route_1_skbk,route_1_name,route_1_metricv??*") in new stack
Issue History
Date Modified Username Field Change
======================================================================
2008-08-14 03:38 adomjan Note Added: 0091401
======================================================================
More information about the asterisk-bugs
mailing list