[asterisk-commits] tilghman: branch 1.4 r168603 - /branches/1.4/main/udptl.c
SVN commits to the Asterisk project
asterisk-commits at lists.digium.com
Wed Jan 14 13:02:55 CST 2009
Author: tilghman
Date: Wed Jan 14 13:02:55 2009
New Revision: 168603
URL: http://svn.digium.com/svn-view/asterisk?view=rev&rev=168603
Log:
Don't read into a buffer without first checking if a value is beyond the end.
(closes issue #13600)
Reported by: atis
Patches:
20090106__bug13600.diff.txt uploaded by Corydon76 (license 14)
Tested by: atis
Modified:
branches/1.4/main/udptl.c
Modified: branches/1.4/main/udptl.c
URL: http://svn.digium.com/svn-view/asterisk/branches/1.4/main/udptl.c?view=diff&rev=168603&r1=168602&r2=168603
==============================================================================
--- branches/1.4/main/udptl.c (original)
+++ branches/1.4/main/udptl.c Wed Jan 14 13:02:55 2009
@@ -156,15 +156,15 @@
static int decode_length(uint8_t *buf, int limit, int *len, int *pvalue)
{
+ if (*len >= limit)
+ return -1;
if ((buf[*len] & 0x80) == 0) {
- if (*len >= limit)
- return -1;
*pvalue = buf[*len];
(*len)++;
return 0;
}
if ((buf[*len] & 0x40) == 0) {
- if (*len >= limit - 1)
+ if (*len == limit - 1)
return -1;
*pvalue = (buf[*len] & 0x3F) << 8;
(*len)++;
@@ -172,8 +172,6 @@
(*len)++;
return 0;
}
- if (*len >= limit)
- return -1;
*pvalue = (buf[*len] & 0x3F) << 14;
(*len)++;
/* Indicate we have a fragment */
More information about the asterisk-commits
mailing list