| Summary: | ASTERISK-06730: Possible Integer overflow | ||
| Reporter: | manos (manos) | Labels: | |
| Date Opened: | 2006-04-07 14:55:10 | Date Closed: | 2006-04-07 17:11:48 |
| Priority: | Major | Regression? | No |
| Status: | Closed/Complete | Components: | Core/CodecInterface |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ||
| Description: | In format_jpeg.c, there is a possible Integer overflow bug at line 00058, if len is large enough can turn to negative and bypass the if (len > sizeof(buf)) statement, the unsigned version of len will be passed to read(fd, buf, len); and may cause Buffer Overflow - http://www.asterisk.org/doxygen/format__jpeg_8c-source.html ****** ADDITIONAL INFORMATION ****** FIX : add this in the if statement (| len < 0) or/and make len unsigned | ||
| Comments: | By: Olle Johansson (oej) 2006-04-07 16:33:02 Any reason for making this report private? By: manos (manos) 2006-04-07 17:00:49 Mistake I guess By: Tilghman Lesher (tilghman) 2006-04-07 17:11:48 Committed to 1.2, merged to trunk. | ||