[svn-commits] branch 1.2 r25160 - /branches/1.2/frame.c

[svn-commits at lists.digium.com]

Author: russell
Date: Fri May  5 21:25:48 2006
New Revision: 25160

URL: http://svn.digium.com/view/asterisk?rev=25160&view=rev
Log:
fix a problem where the frame's data pointer is overwritten by the newly
allocated data buffer before the data can be copied from it.  This is in
the ast_frisolate() function which is rarely used.  (issue #6732, stefankroon)

Modified:
    branches/1.2/frame.c

Modified: branches/1.2/frame.c
URL: http://svn.digium.com/view/asterisk/branches/1.2/frame.c?rev=25160&r1=25159&r2=25160&view=diff
==============================================================================
--- branches/1.2/frame.c (original)
+++ branches/1.2/frame.c Fri May  5 21:25:48 2006
@@ -304,6 +304,8 @@
 struct ast_frame *ast_frisolate(struct ast_frame *fr)
 {
 	struct ast_frame *out;
+	void *newdata;
+
 	if (!(fr->mallocd & AST_MALLOCD_HDR)) {
 		/* Allocate a new header if needed */
 		out = ast_frame_header_new();
@@ -318,27 +320,30 @@
 		out->offset = fr->offset;
 		out->src = NULL;
 		out->data = fr->data;
-	} else {
+	} else
 		out = fr;
-	}
+	
 	if (!(fr->mallocd & AST_MALLOCD_SRC)) {
 		if (fr->src)
 			out->src = strdup(fr->src);
-	} else
-		out->src = fr->src;
+	}
+	
 	if (!(fr->mallocd & AST_MALLOCD_DATA))  {
-		out->data = malloc(fr->datalen + AST_FRIENDLY_OFFSET);
-		if (!out->data) {
+		newdata = malloc(fr->datalen + AST_FRIENDLY_OFFSET);
+		if (!newdata) {
 			free(out);
 			ast_log(LOG_WARNING, "Out of memory\n");
 			return NULL;
 		}
-		out->data += AST_FRIENDLY_OFFSET;
+		newdata += AST_FRIENDLY_OFFSET;
 		out->offset = AST_FRIENDLY_OFFSET;
 		out->datalen = fr->datalen;
-		memcpy(out->data, fr->data, fr->datalen);
-	}
+		memcpy(newdata, fr->data, fr->datalen);
+		out->data = newdata;
+	}
+
 	out->mallocd = AST_MALLOCD_HDR | AST_MALLOCD_SRC | AST_MALLOCD_DATA;
+	
 	return out;
 }