[asterisk-bugs] [JIRA] (ASTERISK-26926) Crash caused by missing check in func_speex.c with codec_siren14

Asterisk Team (JIRA) noreply at issues.asterisk.org
Fri Apr 7 06:05:58 CDT 2017 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-26926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236431#comment-236431 ] 

Asterisk Team commented on ASTERISK-26926:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

> Crash caused by missing check in func_speex.c with codec_siren14
> ----------------------------------------------------------------
>
>                 Key: ASTERISK-26926
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-26926
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Functions/func_speex
>    Affects Versions: 14.3.0
>         Environment: Siren14 (and likely Siren7)
>            Reporter: Richard Kenner
>
> There is a crash in preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626 due to a frame being passed to func_speex.c looking like:  
> (gdb) print *frame
> $1 = {frametype = AST_FRAME_VOICE, subclass = {integer = 0, 
>     format = 0xe2f9e20, frame_ending = 0}, datalen = 0, samples = 640, 
>   mallocd = 1, mallocd_hdr_len = 232, offset = 64, 
>   src = 0x2ac07413e7f8 "siren14tolin32", data = {ptr = 0x3cab9378, 
>     uint32 = 1017877368, pad = "x\223\253<\000\000\000"}, delivery = {
>     tv_sec = 1491485582, tv_usec = 407272}, frame_list = {next = 0x0}, 
>   flags = 0, ts = 0, len = 0, seqno = 0}
> A check for  datalen != 0 is missing before the call to speex_preprocess around line 188 of func_speex.c.
> This was most recently seen with Siren14, but I believe also occurs less often with Siren7.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list