[asterisk-bugs] [JIRA] (ASTERISK-29328) translate.c: possible buffer overflow when upsampling
Friendly Automation (JIRA)
noreply at issues.asterisk.org
Wed Apr 28 16:36:10 CDT 2021
[ https://issues.asterisk.org/jira/browse/ASTERISK-29328?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254737#comment-254737 ]
Friendly Automation commented on ASTERISK-29328:
------------------------------------------------
Change 15801 merged by Friendly Automation:
translate.c: Take sampling rate into account when checking codec's buffer size
[https://gerrit.asterisk.org/c/asterisk/+/15801|https://gerrit.asterisk.org/c/asterisk/+/15801]
> translate.c: possible buffer overflow when upsampling
> -----------------------------------------------------
>
> Key: ASTERISK-29328
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-29328
> Project: Asterisk
> Issue Type: Bug
> Components: Core/CodecInterface
> Affects Versions: 16.16.0
> Reporter: Jean Aunis - Prescom
> Labels: patch
> Attachments: fix_translation_size.patch
>
>
> I may have found a buffer size miscalculation in translate.c. It may have security implications since it could result in a buffer overflow.
> There is a piece of code in translate.c (function framein) that checks if the translator has got enough free space in its outbuf. Here is the code:
> {code}
> static int framein(struct ast_trans_pvt *pvt, struct ast_frame *f)
> {
> [snip]
> if (pvt->samples + f->samples > pvt->t->buffer_samples) {
> ast_log(LOG_WARNING, "Out of buffer space\n");
> return -1;
> }
> }
> {code}
> It seems to me this code assumes that the number of samples remains the same through the translation process. Which will not be the case when up- or down-sampling. When upsampling, it may overflow the outbuf.
> Shouldn't we re-write the condition like this:
> {code}
> int src_srate = pvt->t->src_codec->sample_rate;
> int dst_srate = pvt->t->dst_codec->sample_rate;
> if (pvt->samples + (f->samples * dst_srate/src_srate) > pvt->t->buffer_samples) {
> ast_log(LOG_WARNING, "Out of buffer space\n");
> return -1;
> }
> {code}
> For the moment I have not been able to create the conditions of a crash.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list