[asterisk-bugs] [JIRA] (ASTERISK-29328) translate.c: possible buffer overflow when upsampling

Asterisk Team (JIRA) noreply at issues.asterisk.org
Thu Apr 29 10:43:10 CDT 2021


     [ https://issues.asterisk.org/jira/browse/ASTERISK-29328?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Asterisk Team updated ASTERISK-29328:
-------------------------------------

    Target Release Version/s: 18.4.0

> translate.c: possible buffer overflow when upsampling
> -----------------------------------------------------
>
>                 Key: ASTERISK-29328
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29328
>             Project: Asterisk
>          Issue Type: Bug
>          Components: Core/CodecInterface
>    Affects Versions: 16.16.0
>            Reporter: Jean Aunis - Prescom
>              Labels: patch
>      Target Release: 16.18.0, 18.4.0
>
>         Attachments: fix_translation_size.patch
>
>
> I may have found a buffer size miscalculation in translate.c. It may have security implications since it could result in a buffer overflow.
> There is a piece of code in translate.c (function framein) that checks if the translator has got enough free space in its outbuf. Here is the code:
> {code}
> static int framein(struct ast_trans_pvt *pvt, struct ast_frame *f)
> {
> [snip]
>         if (pvt->samples + f->samples > pvt->t->buffer_samples) {
>             ast_log(LOG_WARNING, "Out of buffer space\n");
>             return -1;
>         }
> }
> {code}
> It seems to me this code assumes that the number of samples remains the same through the translation process. Which will not be the case when up- or down-sampling. When upsampling, it may overflow the outbuf.
> Shouldn't we re-write the condition like this:
> {code}
> int src_srate = pvt->t->src_codec->sample_rate;
> int dst_srate = pvt->t->dst_codec->sample_rate;
> if (pvt->samples + (f->samples * dst_srate/src_srate) > pvt->t->buffer_samples) {
>       ast_log(LOG_WARNING, "Out of buffer space\n");
> return -1;
> }
> {code}
> For the moment I have not been able to create the conditions of a crash. 



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list