[asterisk-bugs] [Asterisk 0016407]: [patch] potential buffer overflow in say_date_with_format()
Asterisk Bug Tracker
noreply at bugs.digium.com
Tue Jan 5 09:26:18 CST 2010
The following issue has been UPDATED.
======================================================================
https://issues.asterisk.org/view.php?id=16407
======================================================================
Reported By: qwell
Assigned To: tilghman
======================================================================
Project: Asterisk
Issue ID: 16407
Category: Core/General
Reproducibility: have not tried
Severity: crash
Priority: low
Status: closed
Target Version: 1.4.29
Asterisk Version: SVN
JIRA: SWP-505
Regression: No
Reviewboard Link:
SVN Branch (only for SVN checkouts, not tarball releases): N/A
SVN Revision (number only!):
Request Review:
Resolution: fixed
Fixed in Version:
======================================================================
Date Submitted: 2009-12-07 15:40 CST
Last Modified: 2010-01-05 09:26 CST
======================================================================
Summary: [patch] potential buffer overflow in
say_date_with_format()
Description:
An improper (or crafted) format string can cause a buffer overflow in
say_date_with_format().
Inside the ast_say_date_with_format_LANG() functions (all of them appear
to have the same bug - yay copy/paste?), there is a for loop that iterates
over format. If format contains only one apostrophe, the inner loop can
loop beyond the end of format.
I believe that inner loop should be checking bounds with format[offset +
1].
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
2010-01-05 09:26 lmadsen Target Version => 1.4.29
2010-01-05 09:26 lmadsen Description Updated
======================================================================
More information about the asterisk-bugs
mailing list