[asterisk-bugs] [Asterisk 0013299]: [patch] asterisk crashes when SPRINTF function has too few arguments
Asterisk Bug Tracker
noreply at bugs.digium.com
Fri Aug 15 09:42:37 CDT 2008
A NOTE has been added to this issue.
======================================================================
http://bugs.digium.com/view.php?id=13299
======================================================================
Reported By: adomjan
Assigned To: Corydon76
======================================================================
Project: Asterisk
Issue ID: 13299
Category: Functions/General
Reproducibility: always
Severity: crash
Priority: normal
Status: ready for testing
Asterisk Version: SVN
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.0
SVN Revision (number only!): 137350
Disclaimer on File?: N/A
Request Review:
======================================================================
Date Submitted: 2008-08-13 09:47 CDT
Last Modified: 2008-08-15 09:42 CDT
======================================================================
Summary: [patch] asterisk crashes when SPRINTF function has
too few arguments
Description:
reproduce:
Set(num=5)
Set(string="a%ib%ic%id")
NoOP(${SPRINTF("${string}",${num},${num})})
crash:
==27040==
==27040== Thread 30:
==27040== Invalid read of size 1
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==27040==
==27040== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==27040== Access not within mapped region at address 0x0
==27040== at 0x30F087AD30: rawmemchr (in /lib64/libc-2.5.so)
==27040== by 0x30F086EE19: _IO_str_init_static_internal (in
/lib64/libc-2.5.so)
==27040== by 0x30F0863794: vsscanf (in /lib64/libc-2.5.so)
==27040== by 0x30F085EAF7: sscanf (in /lib64/libc-2.5.so)
==27040== by 0xF2C95BA: ??? (func_strings.c:499)
==27040== by 0x49BCCA: ast_func_read (pbx.c:2774)
==27040== by 0x49F6EF: pbx_substitute_variables_helper_full
(pbx.c:2908)
==27040== by 0x4A17F6: pbx_extension_helper (pbx.c:3000)
==27040== by 0x4A3C38: __ast_pbx_run (pbx.c:3598)
==27040== by 0x4A4FA8: pbx_thread (pbx.c:3948)
==27040== by 0x4D8C8B: dummy_start (utils.c:917)
==27040== by 0x30F1406306: start_thread (in /lib64/libpthread-2.5.so)
==27040==
======================================================================
----------------------------------------------------------------------
(0091446) svnbot (reporter) - 2008-08-15 09:42
http://bugs.digium.com/view.php?id=13299#c91446
----------------------------------------------------------------------
Repository: asterisk
Revision: 138023
U branches/1.4/funcs/func_strings.c
------------------------------------------------------------------------
r138023 | tilghman | 2008-08-15 09:42:32 -0500 (Fri, 15 Aug 2008) | 8
lines
Additional check for more string specifiers than arguments.
(closes issue http://bugs.digium.com/view.php?id=13299)
Reported by: adomjan
Patches:
20080813__bug13299.diff.txt uploaded by Corydon76 (license 14)
func_strings.c-sprintf.patch uploaded by adomjan (license 487)
Tested by: adomjan
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=138023
Issue History
Date Modified Username Field Change
======================================================================
2008-08-15 09:42 svnbot Checkin
2008-08-15 09:42 svnbot Note Added: 0091446
======================================================================
More information about the asterisk-bugs
mailing list