kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-09-18 18:58:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

various modules: json integer overflow

Browse Source 
There were still a few places in the code that could overflow when "packing"
a json object with a value outside the base type integer's range. For instance:

unsigned int value = INT_MAX + 1
ast_json_pack("{s: i}", value);

would result in a negative number being "packed". In those situations this patch
alters those values to a ast_json_int_t, which widens the value up to a long or
long long.

ASTERISK-28480

Change-Id: Ied530780d83e6f1772adba0e28d8938ef30c49a1
This commit is contained in:
Kevin Harwell
2019-08-01 16:22:01 -05:00
parent 4018e88369
commit 3656c42cb0
10 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
main/rtp_engine.c
View File

@@ -3394,14 +3394,14 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
char str_lsr[32];
snprintf(str_lsr, sizeof(str_lsr), "%u", payload->report->report_block[i]->lsr);
json_report_block = ast_json_pack("{s: I, s: i, s: i, s: i, s: i, s: s, s: i}",
json_report_block = ast_json_pack("{s: I, s: I, s: I, s: I, s: I, s: s, s: I}",
"source_ssrc", (ast_json_int_t)payload->report->report_block[i]->source_ssrc,
"fraction_lost", payload->report->report_block[i]->lost_count.fraction,
"packets_lost", payload->report->report_block[i]->lost_count.packets,
"highest_seq_no", payload->report->report_block[i]->highest_seq_no,
"ia_jitter", payload->report->report_block[i]->ia_jitter,
"fraction_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.fraction,
"packets_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.packets,
"highest_seq_no", (ast_json_int_t)payload->report->report_block[i]->highest_seq_no,
"ia_jitter", (ast_json_int_t)payload->report->report_block[i]->ia_jitter,
"lsr", str_lsr,
"dlsr", payload->report->report_block[i]->dlsr);
"dlsr", (ast_json_int_t)payload->report->report_block[i]->dlsr);
if (!json_report_block
|| ast_json_array_append(json_rtcp_report_blocks, json_report_block)) {
ast_json_unref(json_rtcp_report_blocks);
@@ -3415,21 +3415,21 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
snprintf(sec, sizeof(sec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_sec);
snprintf(usec, sizeof(usec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_usec);
json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: i, s: i, s: i}",
json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: I, s: I, s: I}",
"ntp_timestamp_sec", sec,
"ntp_timestamp_usec", usec,
"rtp_timestamp", payload->report->sender_information.rtp_timestamp,
"packets", payload->report->sender_information.packet_count,
"octets", payload->report->sender_information.octet_count);
"rtp_timestamp", (ast_json_int_t)payload->report->sender_information.rtp_timestamp,
"packets", (ast_json_int_t)payload->report->sender_information.packet_count,
"octets", (ast_json_int_t)payload->report->sender_information.octet_count);
if (!json_rtcp_sender_info) {
ast_json_unref(json_rtcp_report_blocks);
return NULL;
}
}
json_rtcp_report = ast_json_pack("{s: I, s: i, s: i, s: o, s: o}",
json_rtcp_report = ast_json_pack("{s: I, s: I, s: i, s: o, s: o}",
"ssrc", (ast_json_int_t)payload->report->ssrc,
"type", payload->report->type,
"type", (ast_json_int_t)payload->report->type,
"report_count", payload->report->reception_report_count,
"sender_information", json_rtcp_sender_info ?: ast_json_null(),
"report_blocks", json_rtcp_report_blocks);