<p>Benjamin Keith Ford <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19638">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span></span><br></pre><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, approved; Approved for Submit
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">pjproject: 2.13 security fixes<br><br>Backports two security fixes (c4d3498 and 450baca) from pjproject 2.13.<br><br>ASTERISK-30338<br><br>Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69<br>---<br>A third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch<br>A third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch<br>2 files changed, 363 insertions(+), 0 deletions(-)<br><br></pre>
<pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch b/third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..cf4359a</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0200-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch</span><br><span>@@ -0,0 +1,306 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From c4d34984ec92b3d5252a7d5cddd85a1d3a8001ae Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: sauwming <ming@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Mon, 3 Oct 2022 08:07:22 +0800</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Initial patch</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Revert '>=' back to '>' in pj_scan_stricmp_alnum()</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Fix error compiles.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Nanang Izzuddin <nanang@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------</span><br><span style="color: hsl(120, 100%, 40%);">+ pjmedia/src/pjmedia/rtp.c | 11 +++++---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjmedia/src/pjmedia/sdp.c | 24 ++++++++++-------</span><br><span style="color: hsl(120, 100%, 40%);">+ 3 files changed, 48 insertions(+), 28 deletions(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+index a54edf2d8..6541bbae3 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib-util/src/pjlib-util/scanner.c</span><br><span>++++ b/pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- char *s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);</span><br><span style="color: hsl(120, 100%, 40%);">++ char *s;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!s) {</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = scanner->end;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_assert(pj_cis_match(spec,0)==0);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* EOF is detected implicitly */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!pj_cis_match(spec, *s)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Must not match character '%' */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_assert(pj_cis_match(spec,'%')==0);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* EOF is detected implicitly */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!pj_cis_match(spec, *s) && *s != '%') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr += N;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -467,15 +473,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* We have checked scanner->curptr validity above */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (*scanner->curptr == '\r') {</span><br><span style="color: hsl(120, 100%, 40%);">+ ++scanner->curptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*scanner->curptr == '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ ++scanner->curptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -520,7 +527,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -544,7 +553,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -570,7 +581,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -585,7 +598,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr += N;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && </span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -636,5 +651,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->line = state->line;</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->start_line = state->start_line;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 18917f18b..d29348cc5 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjmedia/src/pjmedia/rtp.c</span><br><span>++++ b/pjmedia/src/pjmedia/rtp.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -188,6 +188,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Payload is located right after header plus CSRC */</span><br><span style="color: hsl(120, 100%, 40%);">+ offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* Check that offset is less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (offset >= pkt_len) {</span><br><span style="color: hsl(120, 100%, 40%);">++ return PJMEDIA_RTP_EINLEN;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Decode RTP extension. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((*hdr)->x) {</span><br><span style="color: hsl(120, 100%, 40%);">+ if (offset + sizeof (pjmedia_rtp_ext_hdr) > (unsigned)pkt_len)</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -202,8 +207,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(</span><br><span style="color: hsl(120, 100%, 40%);">+ dec_hdr->ext_len = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* Check that offset is less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (offset > pkt_len)</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Check again that offset is still less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (offset >= pkt_len)</span><br><span style="color: hsl(120, 100%, 40%);">+ return PJMEDIA_RTP_EINLEN;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Find and set payload. */</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -393,5 +398,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,</span><br><span style="color: hsl(120, 100%, 40%);">+ seq_status->status.value = st.status.value;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 3905c2f52..647f49e13 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjmedia/src/pjmedia/sdp.c</span><br><span>++++ b/pjmedia/src/pjmedia/sdp.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -983,13 +983,13 @@ static void parse_version(pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINVER;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check version is 0 */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+2) != '0') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1006,7 +1006,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINORIGIN;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1052,7 +1052,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINTIME;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1080,7 +1080,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINSDP;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1149,7 +1149,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINMEDIA;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check the equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1164,6 +1164,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ /* port */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get(scanner, &cs_token, &str);</span><br><span style="color: hsl(120, 100%, 40%);">+ med->desc.port = (unsigned short)pj_strtoul(&str);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">++ return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (*scanner->curptr == '/') {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* port count */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1175,7 +1179,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ if (pj_scan_get_char(scanner) != ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">+- PJ_THROW(SYNTAX_ERROR);</span><br><span style="color: hsl(120, 100%, 40%);">++ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* transport */</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1183,7 +1187,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* format list */</span><br><span style="color: hsl(120, 100%, 40%);">+ med->desc.fmt_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+- while (*scanner->curptr == ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">++ while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_str_t fmt;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1223,7 +1227,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1242,7 +1246,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* get value */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_until_chr(scanner, "\r\n", &attr->value);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ attr->value.ptr = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.25.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>diff --git a/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch b/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..76f02fc</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch</span><br><span>@@ -0,0 +1,44 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: sauwming <ming@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Tue, 7 Jun 2022 12:00:13 +0800</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-</span><br><span style="color: hsl(120, 100%, 40%);">+ 1 file changed, 6 insertions(+), 1 deletion(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 722519584..d0549176d 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span>++++ b/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint16_t msg_type, msg_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ char *p_attr;</span><br><span style="color: hsl(120, 100%, 40%);">++ int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_CHECK_STACK();</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ msg->attr_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ p_attr = (char*)buf + sizeof(pjstun_msg_hdr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- while (msg_len > 0) {</span><br><span style="color: hsl(120, 100%, 40%);">++ while (msg_len > 0 && msg->attr_count < attr_max_cnt) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint32_t len;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint16_t attr_type;</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ p_attr += len;</span><br><span style="color: hsl(120, 100%, 40%);">+ ++msg->attr_count;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">++ if (msg->attr_count == attr_max_cnt) {</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",</span><br><span style="color: hsl(120, 100%, 40%);">++ attr_max_cnt));</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.25.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19638">change 19638</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19638"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: 19.7 </div>
<div style="display:none"> Gerrit-Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69 </div>
<div style="display:none"> Gerrit-Change-Number: 19638 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-MessageType: merged </div>