[Asterisk-code-review] Patch to pjsip to prevent memory corruption on creation of x... (asterisk[13])

Joshua Elson asteriskteam at digium.com
Mon Mar 20 20:10:35 CDT 2017 

Joshua Elson has uploaded a new change for review. ( https://gerrit.asterisk.org/5265 )

Change subject: Patch to pjsip to prevent memory corruption on creation of xml bodies
......................................................................

Patch to pjsip to prevent memory corruption on creation of xml bodies

ASTERISK-26776 #close

Change-Id: Ia32b91e8ffc21b04b15a659e14ab764e0f86083b
---
M res/res_pjsip_xpidf_body_generator.c
A third-party/pjproject/patches/0025-fix-print-xml-crash.patch
2 files changed, 17 insertions(+), 2 deletions(-)


  git pull ssh://gerrit.asterisk.org:29418/asterisk refs/changes/65/5265/1

diff --git a/res/res_pjsip_xpidf_body_generator.c b/res/res_pjsip_xpidf_body_generator.c
index 298235c..a35bfee 100644
--- a/res/res_pjsip_xpidf_body_generator.c
+++ b/res/res_pjsip_xpidf_body_generator.c
@@ -108,7 +108,10 @@
 	do {
 		size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
 		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
-			ast_str_make_space(str, ast_str_size(*str) * 2);
+			if (ast_str_make_space(str, ast_str_size(*str) * 2) != 0) {
+				ast_log(LOG_WARNING, "XPIDF string expansion failed\n");
+				return;
+			}
 			++growths;
 		}
 	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
@@ -116,7 +119,7 @@
 		ast_log(LOG_WARNING, "XPIDF body text too large\n");
 		return;
 	}
-
+	
 	*(ast_str_buffer(*str) + size) = '\0';
 	ast_str_update(*str);
 }
diff --git a/third-party/pjproject/patches/0025-fix-print-xml-crash.patch b/third-party/pjproject/patches/0025-fix-print-xml-crash.patch
new file mode 100644
index 0000000..758d38a
--- /dev/null
+++ b/third-party/pjproject/patches/0025-fix-print-xml-crash.patch
@@ -0,0 +1,12 @@
+diff --git a/pjlib-util/src/pjlib-util/xml.c b/pjlib-util/src/pjlib-util/xml.c
+index 3d4d16f..aff0cff 100644
+--- a/pjlib-util/src/pjlib-util/xml.c
++++ b/pjlib-util/src/pjlib-util/xml.c
+@@ -248,6 +248,7 @@ static int xml_print_node( const pj_xml_node *node, int indent,
+     if (node->content.slen==0 &&
+        node->node_head.next==(pj_xml_node*)&node->node_head)
+     {
++        if (SIZE_LEFT() < 3) return -1;
+        *p++ = ' ';
+        *p++ = '/';
+        *p++ = '>';

-- 
To view, visit https://gerrit.asterisk.org/5265
To unsubscribe, visit https://gerrit.asterisk.org/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia32b91e8ffc21b04b15a659e14ab764e0f86083b
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: 13
Gerrit-Owner: Joshua Elson <joshelson at gmail.com>

More information about the asterisk-code-review mailing list