<p>Benjamin Keith Ford <strong>submitted</strong> this change.</p><p><a href="https://gerrit.asterisk.org/c/asterisk/+/19618">View Change</a></p><pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span></span><br></pre><div style="white-space:pre-wrap">Approvals:
Benjamin Keith Ford: Looks good to me, approved; Approved for Submit
Friendly Automation: Verified
</div><pre style="font-family: monospace,monospace; white-space: pre-wrap;">pjproject: 2.13 security fixes<br><br>Backports two security fixes (c4d3498 and 450baca) from pjproject 2.13.<br>The first one was modified due to merge conflicts specifically with<br>certified.<br><br>ASTERISK-30338<br><br>Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69<br>---<br>A third-party/pjproject/patches/0200-cert-18.9-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch<br>A third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch<br>2 files changed, 366 insertions(+), 0 deletions(-)<br><br></pre>
<pre style="font-family: monospace,monospace; white-space: pre-wrap;"><span>diff --git a/third-party/pjproject/patches/0200-cert-18.9-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch b/third-party/pjproject/patches/0200-cert-18.9-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..fa18860</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0200-cert-18.9-potential-buffer-overflow-in-pjlib-scanner-and-pjmedia.patch</span><br><span>@@ -0,0 +1,307 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From aefc5f83f7de651e3a37e7e1781bfaef46dab9c4 Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: Ben Ford <bford@sangoma.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Wed, 30 Nov 2022 11:28:16 -0600</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Initial patch</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use 'pj_scan_is_eof(scanner)'</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Update pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Revert '>=' back to '>' in pj_scan_stricmp_alnum()</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+* Fix error compiles.</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+Co-authered-by: sauwming <ming@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Nanang Izzuddin <nanang@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+Co-authored-by: Maksim Mukosey <mmukosey@gmail.com></span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------</span><br><span style="color: hsl(120, 100%, 40%);">+ pjmedia/src/pjmedia/rtp.c | 11 +++++---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjmedia/src/pjmedia/sdp.c | 24 ++++++++++-------</span><br><span style="color: hsl(120, 100%, 40%);">+ 3 files changed, 48 insertions(+), 28 deletions(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+index c18b74c55..ea27bbec9 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib-util/src/pjlib-util/scanner.c</span><br><span>++++ b/pjlib-util/src/pjlib-util/scanner.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- char *s = pj_ansi_strchr(scanner->curptr, '\n');</span><br><span style="color: hsl(120, 100%, 40%);">++ char *s;</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">++ s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);</span><br><span style="color: hsl(120, 100%, 40%);">+ if (!s) {</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = scanner->end;</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_assert(pj_cis_match(spec,0)==0);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* EOF is detected implicitly */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!pj_cis_match(spec, *s)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Must not match character '%' */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_assert(pj_cis_match(spec,'%')==0);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* EOF is detected implicitly */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!pj_cis_match(spec, *s) && *s != '%') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr += N;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -462,15 +468,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+- if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_syntax_err(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* We have checked scanner->curptr validity above */</span><br><span style="color: hsl(120, 100%, 40%);">+ if (*scanner->curptr == '\r') {</span><br><span style="color: hsl(120, 100%, 40%);">+ ++scanner->curptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*scanner->curptr == '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ ++scanner->curptr;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -515,7 +522,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -539,7 +548,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -565,7 +576,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr = s;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&</span><br><span style="color: hsl(120, 100%, 40%);">++ scanner->skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -580,7 +593,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->curptr += N;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && </span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)</span><br><span style="color: hsl(120, 100%, 40%);">++ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_skip_whitespace(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -631,5 +646,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->line = state->line;</span><br><span style="color: hsl(120, 100%, 40%);">+ scanner->start_line = state->start_line;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 6c571010c..c987cd0ad 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjmedia/src/pjmedia/rtp.c</span><br><span>++++ b/pjmedia/src/pjmedia/rtp.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -183,6 +183,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Payload is located right after header plus CSRC */</span><br><span style="color: hsl(120, 100%, 40%);">+ offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">++ /* Check that offset is less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (offset >= pkt_len) {</span><br><span style="color: hsl(120, 100%, 40%);">++ return PJMEDIA_RTP_EINLEN;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">++</span><br><span style="color: hsl(120, 100%, 40%);">+ /* Decode RTP extension. */</span><br><span style="color: hsl(120, 100%, 40%);">+ if ((*hdr)->x) {</span><br><span style="color: hsl(120, 100%, 40%);">+ dec_hdr->ext_hdr = (pjmedia_rtp_ext_hdr*)(((pj_uint8_t*)pkt) + offset);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -195,8 +200,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(</span><br><span style="color: hsl(120, 100%, 40%);">+ dec_hdr->ext_len = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- /* Check that offset is less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (offset > pkt_len)</span><br><span style="color: hsl(120, 100%, 40%);">++ /* Check again that offset is still less than packet size */</span><br><span style="color: hsl(120, 100%, 40%);">++ if (offset >= pkt_len)</span><br><span style="color: hsl(120, 100%, 40%);">+ return PJMEDIA_RTP_EINLEN;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* Find and set payload. */</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -386,5 +391,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,</span><br><span style="color: hsl(120, 100%, 40%);">+ seq_status->status.value = st.status.value;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+-</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c</span><br><span style="color: hsl(120, 100%, 40%);">+index c443d863f..f27a1a84f 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjmedia/src/pjmedia/sdp.c</span><br><span>++++ b/pjmedia/src/pjmedia/sdp.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -967,13 +967,13 @@ static void parse_version(pj_scanner *scanner, parse_context *ctx)</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINVER;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check version is 0 */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+2) != '0') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -990,7 +990,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINORIGIN;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1036,7 +1036,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINTIME;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1064,7 +1064,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINSDP;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1133,7 +1133,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ ctx->last_error = PJMEDIA_SDP_EINMEDIA;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check the equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1148,6 +1148,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ /* port */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get(scanner, &cs_token, &str);</span><br><span style="color: hsl(120, 100%, 40%);">+ med->desc.port = (unsigned short)pj_strtoul(&str);</span><br><span style="color: hsl(120, 100%, 40%);">++ if (pj_scan_is_eof(scanner)) {</span><br><span style="color: hsl(120, 100%, 40%);">++ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">++ return;</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ if (*scanner->curptr == '/') {</span><br><span style="color: hsl(120, 100%, 40%);">+ /* port count */</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1159,7 +1163,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ if (pj_scan_get_char(scanner) != ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">+- PJ_THROW(SYNTAX_ERROR);</span><br><span style="color: hsl(120, 100%, 40%);">++ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* transport */</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1167,7 +1171,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* format list */</span><br><span style="color: hsl(120, 100%, 40%);">+ med->desc.fmt_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+- while (*scanner->curptr == ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">++ while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_str_t fmt;</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1207,7 +1211,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* check equal sign */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {</span><br><span style="color: hsl(120, 100%, 40%);">+ on_scanner_error(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ return NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -1226,7 +1230,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_char(scanner);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ /* get value */</span><br><span style="color: hsl(120, 100%, 40%);">+- if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">++ if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_scan_get_until_chr(scanner, "\r\n", &attr->value);</span><br><span style="color: hsl(120, 100%, 40%);">+ } else {</span><br><span style="color: hsl(120, 100%, 40%);">+ attr->value.ptr = NULL;</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.25.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span>diff --git a/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch b/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch</span><br><span>new file mode 100644</span><br><span>index 0000000..76f02fc</span><br><span>--- /dev/null</span><br><span>+++ b/third-party/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch</span><br><span>@@ -0,0 +1,44 @@</span><br><span style="color: hsl(120, 100%, 40%);">+From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001</span><br><span style="color: hsl(120, 100%, 40%);">+From: sauwming <ming@teluu.com></span><br><span style="color: hsl(120, 100%, 40%);">+Date: Tue, 7 Jun 2022 12:00:13 +0800</span><br><span style="color: hsl(120, 100%, 40%);">+Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+---</span><br><span style="color: hsl(120, 100%, 40%);">+ pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-</span><br><span style="color: hsl(120, 100%, 40%);">+ 1 file changed, 6 insertions(+), 1 deletion(-)</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span style="color: hsl(120, 100%, 40%);">+diff --git a/pjlib-util/src/pjlib-util/stun_simple.c b/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span style="color: hsl(120, 100%, 40%);">+index 722519584..d0549176d 100644</span><br><span style="color: hsl(120, 100%, 40%);">+--- a/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span>++++ b/pjlib-util/src/pjlib-util/stun_simple.c</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ {</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint16_t msg_type, msg_len;</span><br><span style="color: hsl(120, 100%, 40%);">+ char *p_attr;</span><br><span style="color: hsl(120, 100%, 40%);">++ int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ PJ_CHECK_STACK();</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ msg->attr_count = 0;</span><br><span style="color: hsl(120, 100%, 40%);">+ p_attr = (char*)buf + sizeof(pjstun_msg_hdr);</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+- while (msg_len > 0) {</span><br><span style="color: hsl(120, 100%, 40%);">++ while (msg_len > 0 && msg->attr_count < attr_max_cnt) {</span><br><span style="color: hsl(120, 100%, 40%);">+ pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint32_t len;</span><br><span style="color: hsl(120, 100%, 40%);">+ pj_uint16_t attr_type;</span><br><span style="color: hsl(120, 100%, 40%);">+@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( void *buf, pj_size_t buf_len,</span><br><span style="color: hsl(120, 100%, 40%);">+ p_attr += len;</span><br><span style="color: hsl(120, 100%, 40%);">+ ++msg->attr_count;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">++ if (msg->attr_count == attr_max_cnt) {</span><br><span style="color: hsl(120, 100%, 40%);">++ PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",</span><br><span style="color: hsl(120, 100%, 40%);">++ attr_max_cnt));</span><br><span style="color: hsl(120, 100%, 40%);">++ }</span><br><span style="color: hsl(120, 100%, 40%);">+ </span><br><span style="color: hsl(120, 100%, 40%);">+ return PJ_SUCCESS;</span><br><span style="color: hsl(120, 100%, 40%);">+ }</span><br><span style="color: hsl(120, 100%, 40%);">+-- </span><br><span style="color: hsl(120, 100%, 40%);">+2.25.1</span><br><span style="color: hsl(120, 100%, 40%);">+</span><br><span></span><br></pre><p>To view, visit <a href="https://gerrit.asterisk.org/c/asterisk/+/19618">change 19618</a>. To unsubscribe, or for help writing mail filters, visit <a href="https://gerrit.asterisk.org/settings">settings</a>.</p><div itemscope itemtype="http://schema.org/EmailMessage"><div itemscope itemprop="action" itemtype="http://schema.org/ViewAction"><link itemprop="url" href="https://gerrit.asterisk.org/c/asterisk/+/19618"/><meta itemprop="name" content="View Change"/></div></div>
<div style="display:none"> Gerrit-Project: asterisk </div>
<div style="display:none"> Gerrit-Branch: certified/18.9 </div>
<div style="display:none"> Gerrit-Change-Id: I86fdc003d5d22cb66e7cc6dc3313a8194f27eb69 </div>
<div style="display:none"> Gerrit-Change-Number: 19618 </div>
<div style="display:none"> Gerrit-PatchSet: 2 </div>
<div style="display:none"> Gerrit-Owner: Friendly Automation </div>
<div style="display:none"> Gerrit-Reviewer: Benjamin Keith Ford <bford@digium.com> </div>
<div style="display:none"> Gerrit-Reviewer: Friendly Automation </div>
<div style="display:none"> Gerrit-MessageType: merged </div>