From 7dab892401aad8e359b171b894d43b928f28a43a Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp@digium.com>
Date: Tue, 1 Apr 2008 16:50:37 +0000
Subject: [PATCH] Merged revisions 112125 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4

........
r112125 | file | 2008-04-01 13:45:14 -0300 (Tue, 01 Apr 2008) | 5 lines

Ensure that we do not exceed the hold's maximum size with a single frame.
(closes issue #12047)
Reported by: fabianoheringer
Tested by: fabianoheringer

........


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@112126 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 include/asterisk/slinfactory.h | 4 +++-
 main/slinfactory.c             | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/asterisk/slinfactory.h b/include/asterisk/slinfactory.h
index 386cf51bae..4d3e8eaf83 100644
--- a/include/asterisk/slinfactory.h
+++ b/include/asterisk/slinfactory.h
@@ -28,10 +28,12 @@
 extern "C" {
 #endif
 
+#define AST_SLINFACTORY_MAX_HOLD 1280
+
 struct ast_slinfactory {
 	AST_LIST_HEAD_NOLOCK(, ast_frame) queue; /*!< A list of unaltered frames */
 	struct ast_trans_pvt *trans;             /*!< Translation path that converts fed frames into signed linear */
-	short hold[1280];                        /*!< Hold for audio that no longer belongs to a frame (ie: if only some samples were taken from a frame) */
+	short hold[AST_SLINFACTORY_MAX_HOLD];    /*!< Hold for audio that no longer belongs to a frame (ie: if only some samples were taken from a frame) */
 	short *offset;                           /*!< Offset into the hold where audio begins */
 	size_t holdlen;                          /*!< Number of samples currently in the hold */
 	unsigned int size;                       /*!< Number of samples currently in the factory */
diff --git a/main/slinfactory.c b/main/slinfactory.c
index 6c1bdd6f9d..af70399e67 100644
--- a/main/slinfactory.c
+++ b/main/slinfactory.c
@@ -172,6 +172,9 @@ int ast_slinfactory_read(struct ast_slinfactory *sf, short *buf, size_t samples)
 				memcpy(offset, frame_data, ineed * sizeof(*offset));
 				sofar += ineed;
 				frame_data += ineed;
+				if (remain > (AST_SLINFACTORY_MAX_HOLD - sf->holdlen)) {
+					remain = AST_SLINFACTORY_MAX_HOLD - sf->holdlen;
+				}
 				memcpy(sf->hold, frame_data, remain * sizeof(*offset));
 				sf->holdlen = remain;
 			}