[asterisk-commits] trunk r25164 - /trunk/frame.c

[asterisk-commits at lists.digium.com]

Author: russell
Date: Fri May  5 21:31:22 2006
New Revision: 25164

URL: http://svn.digium.com/view/asterisk?rev=25164&view=rev
Log:
fix a problem where the frame's data pointer is overwritten by the newly
allocated data buffer before the data can be copied from it.  This is in
the ast_frisolate() function which is rarely used.  (issue #6732, stefankroon)

Modified:
    trunk/frame.c

Modified: trunk/frame.c
URL: http://svn.digium.com/view/asterisk/trunk/frame.c?rev=25164&r1=25163&r2=25164&view=diff
==============================================================================
--- trunk/frame.c (original)
+++ trunk/frame.c Fri May  5 21:31:22 2006
@@ -304,37 +304,41 @@
 struct ast_frame *ast_frisolate(struct ast_frame *fr)
 {
 	struct ast_frame *out;
+	void *newdata;
+	
 	if (!(fr->mallocd & AST_MALLOCD_HDR)) {
 		/* Allocate a new header if needed */
-		if (!(out = ast_frame_header_new())) {
+		if (!(out = ast_frame_header_new()))
 			return NULL;
-		}
 		out->frametype = fr->frametype;
 		out->subclass = fr->subclass;
 		out->datalen = fr->datalen;
 		out->samples = fr->samples;
 		out->offset = fr->offset;
-		out->src = NULL;
 		out->data = fr->data;
-	} else {
+	} else
 		out = fr;
-	}
+	
 	if (!(fr->mallocd & AST_MALLOCD_SRC)) {
 		if (fr->src)
 			out->src = strdup(fr->src);
 	} else
 		out->src = fr->src;
+	
 	if (!(fr->mallocd & AST_MALLOCD_DATA))  {
-		if (!(out->data = ast_malloc(fr->datalen + AST_FRIENDLY_OFFSET))) {
+		if (!(newdata = ast_malloc(fr->datalen + AST_FRIENDLY_OFFSET))) {
 			free(out);
 			return NULL;
 		}
-		out->data += AST_FRIENDLY_OFFSET;
+		newdata += AST_FRIENDLY_OFFSET;
 		out->offset = AST_FRIENDLY_OFFSET;
 		out->datalen = fr->datalen;
-		memcpy(out->data, fr->data, fr->datalen);
-	}
+		memcpy(newdata, fr->data, fr->datalen);
+		out->data = newdata;
+	}
+
 	out->mallocd = AST_MALLOCD_HDR | AST_MALLOCD_SRC | AST_MALLOCD_DATA;
+	
 	return out;
 }