From 291da1132215950e63f024c6beb1a5b9d8318782 Mon Sep 17 00:00:00 2001
From: Brian West <brian@freeswitch.org>
Date: Tue, 2 Jan 2018 18:37:23 -0600
Subject: [PATCH] FS-10867: [freeswitch-core] Prevent stack smash when queing
 multiple sound files without event-lock #resolve

---
 src/include/switch_core.h |  2 ++
 src/switch_core_session.c |  8 ++++++++
 src/switch_ivr.c          | 10 ++++++++++
 3 files changed, 20 insertions(+)

diff --git a/src/include/switch_core.h b/src/include/switch_core.h
index a07ea36a1e..d597c601a3 100644
--- a/src/include/switch_core.h
+++ b/src/include/switch_core.h
@@ -1117,6 +1117,8 @@ SWITCH_DECLARE(switch_status_t) switch_core_session_get_app_flags(const char *ap
 */
 #define switch_core_session_execute_application(_a, _b, _c) switch_core_session_execute_application_get_flags(_a, _b, _c, NULL)
 
+SWITCH_DECLARE(uint32_t) switch_core_session_stack_count(switch_core_session_t *session, int x);
+
 /*!
   \brief Run a dialplan and execute an extension
   \param session the current session
diff --git a/src/switch_core_session.c b/src/switch_core_session.c
index b57e239f92..dec61f3917 100644
--- a/src/switch_core_session.c
+++ b/src/switch_core_session.c
@@ -2895,6 +2895,14 @@ SWITCH_DECLARE(switch_status_t) switch_core_session_exec(switch_core_session_t *
 	return SWITCH_STATUS_SUCCESS;
 }
 
+SWITCH_DECLARE(uint32_t) switch_core_session_stack_count(switch_core_session_t *session, int x)
+{
+	if (x > 0) session->stack_count++;
+	else if (x < 0) session->stack_count--;
+
+	return session->stack_count;
+}
+
 SWITCH_DECLARE(switch_status_t) switch_core_session_execute_exten(switch_core_session_t *session, const char *exten, const char *dialplan,
 																  const char *context)
 {
diff --git a/src/switch_ivr.c b/src/switch_ivr.c
index 770c3bb81f..462ed56b22 100644
--- a/src/switch_ivr.c
+++ b/src/switch_ivr.c
@@ -898,6 +898,14 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_parse_all_events(switch_core_session_
 	int x = 0;
 	switch_channel_t *channel;
 
+	if (switch_core_session_stack_count(session, 0) > SWITCH_MAX_STACKS) {
+		switch_log_printf(SWITCH_CHANNEL_SESSION_LOG(session), SWITCH_LOG_ERROR, "Error %s too many stacked extensions\n",
+						  switch_core_session_get_name(session));
+		return SWITCH_STATUS_FALSE;
+	}
+
+	switch_core_session_stack_count(session, 1);
+	
 	switch_ivr_parse_all_messages(session);
 
 	channel = switch_core_session_get_channel(session);
@@ -914,6 +922,8 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_parse_all_events(switch_core_session_
 		x++;
 	}
 
+	switch_core_session_stack_count(session, -1);
+	
 	return SWITCH_STATUS_SUCCESS;
 }