[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Jan 4 15:45:48 CST 2010
The following issue has been RESOLVED.
======================================================================
https://issues.asterisk.org/view.php?id=16407
======================================================================
Reported By: qwell
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 16407
Category: Core/General
Reproducibility: have not tried
Severity: crash
Priority: low
Status: resolved
Asterisk Version: SVN
JIRA: SWP-505
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2009-12-07 15:40 CST
Last Modified: 2010-01-04 15:45 CST
======================================================================
Summary: [patch] potential buffer overflow in
say_date_with_format()
Description:
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().
Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format. If format contains only one apostrophe, the inner loop can
loop beyond the end of format.
I believe that inner loop should be checking bounds with format[offset +
1].
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2010-01-04 15:45 svnbot Status assigned => resolved
2010-01-04 15:45 svnbot Resolution open => fixed
======================================================================
More information about the asterisk-bugs
mailing list