[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Dec 8 09:59:11 CST 2009
The following issue has been UPDATED.
======================================================================
https://issues.asterisk.org/view.php?id=16407
======================================================================
Reported By: qwell
Assigned To:
======================================================================
Project: Asterisk
Issue ID: 16407
Category: Core/General
Reproducibility: have not tried
Severity: crash
Priority: low
Status: ready for testing
Asterisk Version: SVN
JIRA: SWP-505
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
======================================================================
Date Submitted: 2009-12-07 15:40 CST
Last Modified: 2009-12-08 09:59 CST
======================================================================
Summary: [patch] potential buffer overflow in
say_date_with_format()
Description:
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().
Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format. If format contains only one apostrophe, the inner loop can
loop beyond the end of format.
I believe that inner loop should be checking bounds with format[offset +
1].
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2009-12-08 09:58 lmadsen Status new => ready for
testing
======================================================================
More information about the asterisk-bugs
mailing list