[asterisk-bugs] [Asterisk 0017474]: [patch] Crash in dsp.c when entering digits from SpeechBackground

Asterisk Bug Tracker noreply at bugs.digium.com
Sat Jun 5 12:54:00 CDT 2010


A NOTE has been added to this issue. 
====================================================================== 
https://issues.asterisk.org/view.php?id=17474 
====================================================================== 
Reported By:                kenner
Assigned To:                
====================================================================== 
Project:                    Asterisk
Issue ID:                   17474
Category:                   Core/General
Reproducibility:            always
Severity:                   crash
Priority:                   normal
Status:                     new
Asterisk Version:           SVN 
JIRA:                        
Regression:                 No 
Reviewboard Link:            
SVN Branch (only for SVN checkouts, not tarball releases): 1.6.2 
SVN Revision (number only!): 268453 
Request Review:              
====================================================================== 
Date Submitted:             2010-06-05 11:36 CDT
Last Modified:              2010-06-05 12:54 CDT
====================================================================== 
Summary:                    [patch] Crash in dsp.c when entering digits from
SpeechBackground
Description: 
The field current_len is set to zero and decremented, but never incremented
in dsp.c.  But its used as the operand of memmove, so the second time the
code in question is executed, memmove is passed an operand of -1, which
causes a crash.  I have a patch, which fixes the problem, but I don't
understand the code enough to be completely confident that it's correct.

======================================================================
Relationships       ID      Summary
----------------------------------------------------------------------
duplicate of        0017371 [patch] [regression] DAHDI analog FXS p...
====================================================================== 

---------------------------------------------------------------------- 
 (0123010) kenner (reporter) - 2010-06-05 12:54
 https://issues.asterisk.org/view.php?id=17474#c123010 
---------------------------------------------------------------------- 
No, current_len right now (pre any patch) is set to zero and then goes
DOWN, so it's certainly not anything like "the total sample length". 
Moreover, no more than MAX_DTMF_DIGITS can be saved: see
dsp.c:store_digits.

The question that I have is: in what ways did the author intend
current_digits and current_len to differ?  I'd have expected to see a
comment near the declaration of those fields to explain that, but without
that comment I have no idea and can only propose the patch I did, which has
the effect of making them always have the same value.

That's what I mean by it can't be correct: there's no point in having two
fields which always have the same value.  But it's CERTAINLY incorrect to
have a field being used as the size in a memmove which is never positive! 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2010-06-05 12:54 kenner         Note Added: 0123010                          
======================================================================




More information about the asterisk-bugs mailing list