[asterisk-bugs] [JIRA] (ASTERISK-29328) translate.c: possible buffer overflow when upsampling

Kevin Harwell (JIRA) noreply at issues.asterisk.org
Wed Apr 21 09:41:10 CDT 2021


    [ https://issues.asterisk.org/jira/browse/ASTERISK-29328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254671#comment-254671 ] 

Kevin Harwell commented on ASTERISK-29328:
------------------------------------------

Excellent and thank you!

> translate.c: possible buffer overflow when upsampling
> -----------------------------------------------------
>
>                 Key: ASTERISK-29328
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29328
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Core/CodecInterface
>    Affects Versions: 16.16.0
>            Reporter: Jean Aunis - Prescom
>              Labels: patch
>         Attachments: fix_translation_size.patch
>
>
> I may have found a buffer size miscalculation in translate.c. It may have security implications since it could result in a buffer overflow.
> There is a piece of code in translate.c (function framein) that checks if the translator has got enough free space in its outbuf. Here is the code:
> {code}
> static int framein(struct ast_trans_pvt *pvt, struct ast_frame *f)
> {
> [snip]
>         if (pvt->samples + f->samples > pvt->t->buffer_samples) {
>             ast_log(LOG_WARNING, "Out of buffer space\n");
>             return -1;
>         }
> }
> {code}
> It seems to me this code assumes that the number of samples remains the same through the translation process. Which will not be the case when up- or down-sampling. When upsampling, it may overflow the outbuf.
> Shouldn't we re-write the condition like this:
> {code}
> int src_srate = pvt->t->src_codec->sample_rate;
> int dst_srate = pvt->t->dst_codec->sample_rate;
> if (pvt->samples + (f->samples * dst_srate/src_srate) > pvt->t->buffer_samples) {
>       ast_log(LOG_WARNING, "Out of buffer space\n");
> return -1;
> }
> {code}
> For the moment I have not been able to create the conditions of a crash. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list