[asterisk-commits] mjordan: branch 10 r366741 - in /branches/10: ./ channels/ res/

SVN commits to the Asterisk project asterisk-commits at lists.digium.com
Thu May 17 07:57:34 CDT 2012 

Author: mjordan
Date: Thu May 17 07:57:30 2012
New Revision: 366741

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=366741
Log:
Fix checking bounds of array index after using it; improper sizeof

This patch fixes two problems pointed out by a static analysis tool.

* In chan_dahdi, when an event is handled the index of the sub channel is first
  obtained.  In very off nominal cases, the method that determines the index
  can return a negative value.  In the event handling code, whether or not
  the index returned is valid was being checked after that value was used to
  index into an array.  This patch makes it so the value is checked before
  any indexing is done.

* In res_calendar_ews, sizeof was being passed a pointer instead of the struct to
  determine the amount of memory to allocate.

(issue ASTERISK-19651)
Reported by: Matt Jordan

(closes issue ASTERISK-19671)
Reported by: Matt Jordan
........

Merged revisions 366740 from http://svn.asterisk.org/svn/asterisk/branches/1.8

Modified:
    branches/10/   (props changed)
    branches/10/channels/chan_dahdi.c
    branches/10/res/res_calendar_ews.c

Propchange: branches/10/
------------------------------------------------------------------------------
Binary property 'branch-1.8-merged' - no diff available.

Modified: branches/10/channels/chan_dahdi.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/channels/chan_dahdi.c?view=diff&rev=366741&r1=366740&r2=366741
==============================================================================
--- branches/10/channels/chan_dahdi.c (original)
+++ branches/10/channels/chan_dahdi.c Thu May 17 07:57:30 2012
@@ -7954,6 +7954,9 @@
 	struct ast_frame *f;
 
 	idx = dahdi_get_index(ast, p, 0);
+	if (idx < 0) {
+		return &ast_null_frame;
+	}
 	mysig = p->sig;
 	if (p->outsigmod > -1)
 		mysig = p->outsigmod;
@@ -7967,8 +7970,6 @@
 	p->subs[idx].f.data.ptr = NULL;
 	f = &p->subs[idx].f;
 
-	if (idx < 0)
-		return &p->subs[idx].f;
 	if (p->fake_event) {
 		res = p->fake_event;
 		p->fake_event = 0;

Modified: branches/10/res/res_calendar_ews.c
URL: http://svnview.digium.com/svn/asterisk/branches/10/res/res_calendar_ews.c?view=diff&rev=366741&r1=366740&r2=366741
==============================================================================
--- branches/10/res/res_calendar_ews.c (original)
+++ branches/10/res/res_calendar_ews.c Thu May 17 07:57:30 2012
@@ -233,7 +233,7 @@
 		/* Event UID */
 		if (ctx->op == XML_OP_FIND) {
 			struct calendar_id *id;
-			if (!(id = ast_calloc(1, sizeof(id)))) {
+			if (!(id = ast_calloc(1, sizeof(*id)))) {
 				return NE_XML_ABORT;
 			}
 			if (!(id->id = ast_str_create(256))) {

More information about the asterisk-commits mailing list