[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()

Asterisk Bug Tracker noreply at bugs.digium.com
Mon Jan 4 15:51:56 CST 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=16407 
====================================================================== 
Reported By:                qwell
Assigned To:                tilghman
====================================================================== 
Project:                    Asterisk
Issue ID:                   16407
Category:                   Core/General
Reproducibility:            have not tried
Severity:                   crash
Priority:                   low
Status:                     closed
Asterisk Version:           SVN 
JIRA:                       SWP-505 
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): N/A 
SVN Revision (number only!):  
Request Review:              
Resolution:                 fixed
Fixed in Version:           
====================================================================== 
Date Submitted:             2009-12-07 15:40 CST
Last Modified:              2010-01-04 15:51 CST
====================================================================== 
Summary:                    [patch] potential buffer overflow in
say_date_with_format()
Description: 
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().

Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format.  If format contains only one apostrophe, the inner loop can
loop beyond the end of format.


I believe that inner loop should be checking bounds with format[offset +
1].
====================================================================== 

---------------------------------------------------------------------- 
 (0116015) svnbot (reporter) - 2010-01-04 15:51
 https://issues.asterisk.org/view.php?id=16407#c116015 
---------------------------------------------------------------------- 
Repository: asterisk
Revision: 237575

_U  branches/1.6.0/
U   branches/1.6.0/main/say.c

------------------------------------------------------------------------
r237575 | tilghman | 2010-01-04 15:51:55 -0600 (Mon, 04 Jan 2010) | 20
lines

Merged revisions 237574 via svnmerge from 
https://origsvn.digium.com/svn/asterisk/trunk

................
  r237574 | tilghman | 2010-01-04 15:48:20 -0600 (Mon, 04 Jan 2010) | 13
lines
  
  Merged revisions 237573 via svnmerge from 
  https://origsvn.digium.com/svn/asterisk/branches/1.4
  
  ........
    r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6
lines
    
    Bounds checking for input string
    (closes issue https://issues.asterisk.org/view.php?id=16407)
     Reported by: qwell
     Patches: 
           20100104__issue16407.diff.txt uploaded by tilghman (license 14)
  ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=237575 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-01-04 15:51 svnbot         Checkin                                      
2010-01-04 15:51 svnbot         Note Added: 0116015                          
======================================================================




More information about the asterisk-bugs mailing list