[asterisk-bugs] [Asterisk 0017474]: [patch] Crash in dsp.c when entering digits from SpeechBackground

Asterisk Bug Tracker noreply at bugs.digium.com
Sat Jun 5 12:47:09 CDT 2010 

A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17474 
====================================================================== 
Reported By:                kenner
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17474
Category:                   Core/General
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2 
SVN Revision (number only!): 268453 
Request Review:              
====================================================================== 
Date Submitted:             2010-06-05 11:36 CDT
Last Modified:              2010-06-05 12:47 CDT
====================================================================== 
Summary:                    [patch] Crash in dsp.c when entering digits from
SpeechBackground
Description: 
The field current_len is set to zero and decremented, but never incremented
in dsp.c.  But its used as the operand of memmove, so the second time the
code in question is executed, memmove is passed an operand of -1, which
causes a crash.  I have a patch, which fixes the problem, but I don't
understand the code enough to be completely confident that it's correct.

====================================================================== 

---------------------------------------------------------------------- 
 (0123009) lottc (reporter) - 2010-06-05 12:47
 https://issues.asterisk.org/view.php?id=17474#c123009 
---------------------------------------------------------------------- 
I am pretty sure you are onto something, but you are correct in that your
patch isn't quite correct...  And someone may correct me here, but
current_len is the total sample length, and thus may exceed
MAX_DTMF_DIGITS+1 (the size of datalen). 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-06-05 12:47 lottc          Note Added: 0123009                          
======================================================================

More information about the asterisk-bugs mailing list