[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()
Asterisk Bug Tracker
noreply at bugs.digium.com
Mon Jan 4 15:51:56 CST 2010
A NOTE has been added to this issue.
======================================================================
https://issues.asterisk.org/view.php?id=16407
======================================================================
Reported By: qwell
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 16407
Category: Core/General
Reproducibility: have not tried
Severity: crash
Priority: low
Status: closed
Asterisk Version: SVN
JIRA: SWP-505
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2009-12-07 15:40 CST
Last Modified: 2010-01-04 15:51 CST
======================================================================
Summary: [patch] potential buffer overflow in
say_date_with_format()
Description:
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().
Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format. If format contains only one apostrophe, the inner loop can
loop beyond the end of format.
I believe that inner loop should be checking bounds with format[offset +
1].
======================================================================
----------------------------------------------------------------------
(0116015) svnbot (reporter) - 2010-01-04 15:51
https://issues.asterisk.org/view.php?id=16407#c116015
----------------------------------------------------------------------
Repository: asterisk
Revision: 237575
_U branches/1.6.0/
U branches/1.6.0/main/say.c
------------------------------------------------------------------------
r237575 | tilghman | 2010-01-04 15:51:55 -0600 (Mon, 04 Jan 2010) | 20
lines
Merged revisions 237574 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk
................
r237574 | tilghman | 2010-01-04 15:48:20 -0600 (Mon, 04 Jan 2010) | 13
lines
Merged revisions 237573 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4
........
r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6
lines
Bounds checking for input string
(closes issue https://issues.asterisk.org/view.php?id=16407)
Reported by: qwell
Patches:
20100104__issue16407.diff.txt uploaded by tilghman (license 14)
........
................
------------------------------------------------------------------------
http://svn.digium.com/view/asterisk?view=rev&revision=237575
Issue History
Date Modified Username Field Change
======================================================================
2010-01-04 15:51 svnbot Checkin
2010-01-04 15:51 svnbot Note Added: 0116015
======================================================================
More information about the asterisk-bugs
mailing list