[asterisk-bugs] [JIRA] (ASTERISK-20901) Security Vulnerability: Possible stack corruption in when parsing H.264 format attributes

Matt Jordan (JIRA) noreply at issues.asterisk.org
Wed Mar 27 16:00:02 CDT 2013 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-20901?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Matt Jordan updated ASTERISK-20901:
-----------------------------------

    Target Release Version/s: 11.2.2
    
> Security Vulnerability: Possible stack corruption in when parsing H.264 format attributes
> -----------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-20901
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-20901
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Resources/res_format_attr_h264
>    Affects Versions: 11.1.2
>            Reporter: Matt Jordan
>            Assignee: Jonathan Rose
>            Severity: Critical
>      Target Release: 11.2.2
>
>         Attachments: AST-2013-001-11.diff, h264_overflow_security_patch.diff
>
>
> {quote}
> Hi,
> I just saw this in res/res_format_attr_h264.c in Asterisk 11.1.2:
> {code}
> char sps[H264_MAX_SPS_PPS_SIZE], pps[H264_MAX_SPS_PPS_SIZE];
> if (sscanf(attrib, "profile-level-id=%lx", &val2) == 1) {
>     format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF);
>     format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF);
>     format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF);
> } else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) {
> {code}
> I suspect there might be a potential buffer overflow here with a long "sprop-parameter-sets" string, but I don't really know the involved protocols well enough to check this.. What do you think?
> // Ulf Härnhammar
> {quote}
> Confirmed. When using sscanf, we need to length limit the strings to the length of the buffers on the stack - 1.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list