[Asterisk-code-review] core/frame: Fix ast frdup() and ast frisolate() for empty te... (asterisk[15])

George Joseph asteriskteam at digium.com
Wed Oct 3 13:43:06 CDT 2018 

George Joseph has submitted this change and it was merged. ( https://gerrit.asterisk.org/10369 )

Change subject: core/frame: Fix ast_frdup() and ast_frisolate() for empty text frames
......................................................................

core/frame: Fix ast_frdup() and ast_frisolate() for empty text frames

If a channel creates an AST_TEXT_FRAME with datalen == 0, the ast_frdup()
and ast_frisolate() functions could create a clone frame with an invalid
data.ptr which would cause a crash.  The proposed fix is to make sure that
for such empty text frames, ast_frdup() and ast_frisolate() return cloned
text frames with a valid data.ptr.

ASTERISK-28076
Reported by: Emmanuel BUU
Tested by: Emmanuel BUU

Change-Id: Ib882dd028598f13c4c233edbfdd7e54ad44a68e9
---
M main/frame.c
1 file changed, 3 insertions(+), 2 deletions(-)

Approvals:
  Richard Mudgett: Looks good to me, but someone else must approve
  Joshua Colp: Looks good to me, approved
  George Joseph: Approved for Submit



diff --git a/main/frame.c b/main/frame.c
index 383571f..208c82d 100644
--- a/main/frame.c
+++ b/main/frame.c
@@ -259,7 +259,7 @@
 
 	if (!(fr->mallocd & AST_MALLOCD_DATA))  {
 		/* The original frame has a non-malloced data buffer. */
-		if (!fr->datalen) {
+		if (!fr->datalen && fr->frametype != AST_FRAME_TEXT) {
 			/* Actually it's just an int so we can simply copy it. */
 			out->data.uint32 = fr->data.uint32;
 			return out;
@@ -356,7 +356,8 @@
 	 */
 	out->mallocd = AST_MALLOCD_HDR;
 	out->offset = AST_FRIENDLY_OFFSET;
-	if (out->datalen) {
+	/* Make sure that empty text frames have a valid data.ptr */
+	if (out->datalen || f->frametype == AST_FRAME_TEXT) {
 		out->data.ptr = buf + sizeof(*out) + AST_FRIENDLY_OFFSET;
 		memcpy(out->data.ptr, f->data.ptr, out->datalen);
 	} else {

-- 
To view, visit https://gerrit.asterisk.org/10369
To unsubscribe, or for help writing mail filters, visit https://gerrit.asterisk.org/settings

Gerrit-Project: asterisk
Gerrit-Branch: 15
Gerrit-MessageType: merged
Gerrit-Change-Id: Ib882dd028598f13c4c233edbfdd7e54ad44a68e9
Gerrit-Change-Number: 10369
Gerrit-PatchSet: 1
Gerrit-Owner: Richard Mudgett <rmudgett at digium.com>
Gerrit-Reviewer: Emmanuel BUU <emmanuel.buu at ives.fr>
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Jenkins2 (1000185)
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-Reviewer: Richard Mudgett <rmudgett at digium.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-code-review/attachments/20181003/62982881/attachment-0001.html>

More information about the asterisk-code-review mailing list