[svn-commits] wdoekes: trunk r420718 - in /trunk: ./ main/utils.c

SVN commits to the Digium repositories svn-commits at lists.digium.com
Mon Aug 11 05:41:10 CDT 2014 

Author: wdoekes
Date: Mon Aug 11 05:41:07 2014
New Revision: 420718

URL: http://svnview.digium.com/svn/asterisk?view=rev&rev=420718
Log:
general: Fix memory Corruption in __ast_string_field_ptr_build_va.

If the space left in a stringfield is between 0 and
(alignof(ast_string_field_allocation)-1) adding new data would cause
memory corruption, because we would assume enough space (unsigned
underrun).

Thanks Arnd Schmitter for reporting and finding out the cause!

ASTERISK-23508 #close
Reported by: Arnd Schmitter
Tested by: Arnd Schmitter, JoshE

Review: https://reviewboard.asterisk.org/r/3898/
........

Merged revisions 420680 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 420715 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 420716 from http://svn.asterisk.org/svn/asterisk/branches/12
........

Merged revisions 420717 from http://svn.asterisk.org/svn/asterisk/branches/13

Modified:
    trunk/   (props changed)
    trunk/main/utils.c

Propchange: trunk/
------------------------------------------------------------------------------
--- branch-13-merged (original)
+++ branch-13-merged Mon Aug 11 05:41:07 2014
@@ -1,1 +1,1 @@
-/branches/13:1-420494,420514,420534,420536,420538,420562,420577,420592,420609,420624,420639,420657
+/branches/13:1-420494,420514,420534,420536,420538,420562,420577,420592,420609,420624,420639,420657,420717

Modified: trunk/main/utils.c
URL: http://svnview.digium.com/svn/asterisk/trunk/main/utils.c?view=diff&rev=420718&r1=420717&r2=420718
==============================================================================
--- trunk/main/utils.c (original)
+++ trunk/main/utils.c Mon Aug 11 05:41:07 2014
@@ -2001,6 +2001,7 @@
 	size_t needed;
 	size_t available;
 	size_t space = (*pool_head)->size - (*pool_head)->used;
+	int res;
 	ssize_t grow;
 	char *target;
 	va_list ap2;
@@ -2020,12 +2021,22 @@
 		 * so we don't need to re-align anything here.
 		 */
 		target = (*pool_head)->base + (*pool_head)->used + ast_alignof(ast_string_field_allocation);
-		available = space - ast_alignof(ast_string_field_allocation);
+		if (space > ast_alignof(ast_string_field_allocation)) {
+			available = space - ast_alignof(ast_string_field_allocation);
+		} else {
+			available = 0;
+		}
 	}
 
 	va_copy(ap2, ap);
-	needed = vsnprintf(target, available, format, ap2) + 1;
+	res = vsnprintf(target, available, format, ap2);
 	va_end(ap2);
+
+	if (res < 0) {
+		/* Are we out of memory? */
+		return;
+	}
+	needed = (size_t)res + 1; /* NUL byte */
 
 	if (needed > available) {
 		/* the allocation could not be satisfied using the field's current allocation
@@ -2045,7 +2056,8 @@
 		*/
 		__ast_string_field_release_active(*pool_head, *ptr);
 		mgr->last_alloc = *ptr = target;
-		AST_STRING_FIELD_ALLOCATION(target) = needed;
+	        ast_assert(needed < (ast_string_field_allocation)-1);
+		AST_STRING_FIELD_ALLOCATION(target) = (ast_string_field_allocation)needed;
 		(*pool_head)->used += ast_make_room_for(needed, ast_string_field_allocation);
 		(*pool_head)->active += needed;
 	} else if ((grow = (needed - AST_STRING_FIELD_ALLOCATION(*ptr))) > 0) {

More information about the svn-commits mailing list