kenmirrors/freeswitch
1
0
Fork 0
mirror of https://github.com/signalwire/freeswitch.git synced 2025-02-09 09:17:34 +00:00
Code Issues Projects Releases Wiki Activity

fix out-of-bounds pointer in variable expansion detected by MSCV (thanks for nothing linux) FSCORE-171

Browse Source 
git-svn-id: http://svn.freeswitch.org/svn/freeswitch/trunk@9236 d0543943-73ff-0310-b7d9-9358b9ac24b2
This commit is contained in:
Anthony Minessale 2008-08-11 15:37:50 +00:00
parent 0dc0aa090d
commit 2f405f4bc5
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/switch_channel.c
View File

@ -1598,7 +1598,7 @@ SWITCH_DECLARE(switch_status_t) switch_channel_perform_answer(switch_channel_t *
SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel, const char *in) SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel, const char *in)
{ {
char *p, *c = NULL; char *p, *c = NULL;
char *data, *indup; char *data, *indup, *endof_indup;
size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128; size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
const char *q; const char *q;
char *cloned_sub_val = NULL, *sub_val = NULL; char *cloned_sub_val = NULL, *sub_val = NULL;
@ -1632,11 +1632,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel
nv = 0; nv = 0;
olen = strlen(in) + 1; olen = strlen(in) + 1;
indup = strdup(in); indup = strdup(in);
endof_indup = end_of_p(indup);
if ((data = malloc(olen))) { if ((data = malloc(olen))) {
memset(data, 0, olen); memset(data, 0, olen);
c = data; c = data;
for (p = indup; p && *p; p++) { for (p = indup; p && p < endof_indup && *p; p++) {
vtype = 0; vtype = 0;
if (*p == '\\') { if (*p == '\\') {
@ -1699,7 +1700,7 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel
e++; e++;
} }
p = e; p = e > endof_indup ? endof_indup : e;
if ((vval = strchr(vname, '('))) { if ((vval = strchr(vname, '('))) {
e = vval - 1; e = vval - 1;

7
src/switch_event.c
View File

@ -1190,7 +1190,7 @@ if ((dp = realloc(data, olen))) {\
SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const char *in) SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const char *in)
{ {
char *p, *c = NULL; char *p, *c = NULL;
char *data, *indup; char *data, *indup, *endof_indup;
size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128; size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
const char *q, *sub_val = NULL; const char *q, *sub_val = NULL;
char *cloned_sub_val = NULL; char *cloned_sub_val = NULL;
@ -1219,11 +1219,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const
nv = 0; nv = 0;
olen = strlen(in) + 1; olen = strlen(in) + 1;
indup = strdup(in); indup = strdup(in);
endof_indup = end_of_p(indup);
if ((data = malloc(olen))) { if ((data = malloc(olen))) {
memset(data, 0, olen); memset(data, 0, olen);
c = data; c = data;
for (p = indup; p && *p; p++) { for (p = indup; p && p < endof_indup && *p; p++) {
vtype = 0; vtype = 0;
if (*p == '\\') { if (*p == '\\') {
@ -1286,7 +1287,7 @@ SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const
e++; e++;
} }
p = e; p = e > endof_indup ? endof_indup : e;
if ((vval = strchr(vname, '('))) { if ((vval = strchr(vname, '('))) {
e = vval - 1; e = vval - 1;