[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Dec 7 17:49:26 CST 2009 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16407 
====================================================================== 
Reported By:                qwell
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   16407
Category:                   Core/General
Reproducibility:            have not tried
Severity:                   crash
Priority:                   low
Status:                     new
Asterisk Version:           SVN 
JIRA:                       SWP-505 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
====================================================================== 
Date Submitted:             2009-12-07 15:40 CST
Last Modified:              2009-12-07 17:49 CST
====================================================================== 
Summary:                    [patch] potential buffer overflow in
say_date_with_format()
Description: 
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().

Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format.  If format contains only one apostrophe, the inner loop can
loop beyond the end of format.


I believe that inner loop should be checking bounds with format[offset +
1].
====================================================================== 

---------------------------------------------------------------------- 
 (0114899) dant (reporter) - 2009-12-07 17:49
 https://issues.asterisk.org/view.php?id=16407#c114899 
---------------------------------------------------------------------- 
Patch attached that checks for null string terminator on index increment in
the inner loop. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-12-07 17:49 dant           Note Added: 0114899                          
======================================================================

More information about the asterisk-bugs mailing list