[asterisk-bugs] [JIRA] (ASTERISK-26926) func_speex: Crash caused by frame with no datalen
Richard Kenner (JIRA)
noreply at issues.asterisk.org
Wed Apr 26 14:36:58 CDT 2017
[ https://issues.asterisk.org/jira/browse/ASTERISK-26926?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=236723#comment-236723 ]
Richard Kenner commented on ASTERISK-26926:
-------------------------------------------
Unfortunately, this is a very intermittent issue that I can't reliably reproduce. Worse, because of the previous crashes, the people here have lost confidence in Asterisk and no longer want to use it for conferencing, so there won't even be much usage to potentially generate the test cases for it. Sorry about that, but that's what happens when new releases pick up catastrophic failures like this. I believe that this patch does fix it, though.
> func_speex: Crash caused by frame with no datalen
> -------------------------------------------------
>
> Key: ASTERISK-26926
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-26926
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_speex
> Affects Versions: 14.3.0
> Environment: Siren14 (and likely Siren7)
> Reporter: Richard Kenner
> Assignee: Richard Kenner
> Severity: Minor
> Attachments: ASTERISK-26926.diff
>
>
> There is a crash in preprocess_analysis (st=0x2ac0740fd750, x=0x3cab9378) at preprocess.c:626 due to a frame being passed to func_speex.c looking like:
> {noformat}
> (gdb) print *frame
> $1 = {frametype = AST_FRAME_VOICE, subclass = {integer = 0,
> format = 0xe2f9e20, frame_ending = 0}, datalen = 0, samples = 640,
> mallocd = 1, mallocd_hdr_len = 232, offset = 64,
> src = 0x2ac07413e7f8 "siren14tolin32", data = {ptr = 0x3cab9378,
> uint32 = 1017877368, pad = "x\223\253<\000\000\000"}, delivery = {
> tv_sec = 1491485582, tv_usec = 407272}, frame_list = {next = 0x0},
> flags = 0, ts = 0, len = 0, seqno = 0}
> {noformat}
> A check for datalen != 0 is missing before the call to speex_preprocess around line 188 of func_speex.c.
> This was most recently seen with Siren14, but I believe also occurs less often with Siren7.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list