| Summary: | ASTERISK-15286: [patch] potential buffer overflow in say_date_with_format() | ||
| Reporter: | Jason Parker (jparker) | Labels: | |
| Date Opened: | 2009-12-07 15:40:41.000-0600 | Date Closed: | 2010-01-05 09:26:18.000-0600 |
| Priority: | Critical | Regression? | No |
| Status: | Closed/Complete | Components: | Core/General |
| Versions: | Frequency of Occurrence | ||
| Related Issues: | |||
| Environment: | Attachments: | ( 0) 16407-say.c.patch ( 1) 20100104__issue16407.diff.txt | |
| Description: | An improper (or crafted) format string can cause a buffer overflow in say_date_with_format(). Inside the ast_say_date_with_format_LANG() functions (all of them appear to have the same bug - yay copy/paste?), there is a for loop that iterates over format. If format contains only one apostrophe, the inner loop can loop beyond the end of format. I believe that inner loop should be checking bounds with format[offset + 1]. ****** ADDITIONAL INFORMATION ****** This problem exists in every branch. | ||
| Comments: | By: dant (dant) 2009-12-07 17:49:26.000-0600 Patch attached that checks for null string terminator on index increment in the inner loop. By: Digium Subversion (svnbot) 2010-01-04 15:45:47.000-0600 Repository: asterisk Revision: 237573 U branches/1.4/main/say.c ------------------------------------------------------------------------ r237573 | tilghman | 2010-01-04 15:45:47 -0600 (Mon, 04 Jan 2010) | 6 lines Bounds checking for input string (closes issue ASTERISK-15286) Reported by: qwell Patches: 20100104__issue16407.diff.txt uploaded by tilghman (license 14) ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=237573 By: Digium Subversion (svnbot) 2010-01-04 15:48:21.000-0600 Repository: asterisk Revision: 237574 _U trunk/ U trunk/main/say.c ------------------------------------------------------------------------ r237574 | tilghman | 2010-01-04 15:48:21 -0600 (Mon, 04 Jan 2010) | 13 lines Merged revisions 237573 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6 lines Bounds checking for input string (closes issue ASTERISK-15286) Reported by: qwell Patches: 20100104__issue16407.diff.txt uploaded by tilghman (license 14) ........ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=237574 By: Digium Subversion (svnbot) 2010-01-04 15:51:55.000-0600 Repository: asterisk Revision: 237575 _U branches/1.6.0/ U branches/1.6.0/main/say.c ------------------------------------------------------------------------ r237575 | tilghman | 2010-01-04 15:51:55 -0600 (Mon, 04 Jan 2010) | 20 lines Merged revisions 237574 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r237574 | tilghman | 2010-01-04 15:48:20 -0600 (Mon, 04 Jan 2010) | 13 lines Merged revisions 237573 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6 lines Bounds checking for input string (closes issue ASTERISK-15286) Reported by: qwell Patches: 20100104__issue16407.diff.txt uploaded by tilghman (license 14) ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=237575 By: Digium Subversion (svnbot) 2010-01-04 15:52:03.000-0600 Repository: asterisk Revision: 237576 _U branches/1.6.1/ U branches/1.6.1/main/say.c ------------------------------------------------------------------------ r237576 | tilghman | 2010-01-04 15:52:03 -0600 (Mon, 04 Jan 2010) | 20 lines Merged revisions 237574 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r237574 | tilghman | 2010-01-04 15:48:20 -0600 (Mon, 04 Jan 2010) | 13 lines Merged revisions 237573 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6 lines Bounds checking for input string (closes issue ASTERISK-15286) Reported by: qwell Patches: 20100104__issue16407.diff.txt uploaded by tilghman (license 14) ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=237576 By: Digium Subversion (svnbot) 2010-01-04 15:52:11.000-0600 Repository: asterisk Revision: 237577 _U branches/1.6.2/ U branches/1.6.2/main/say.c ------------------------------------------------------------------------ r237577 | tilghman | 2010-01-04 15:52:11 -0600 (Mon, 04 Jan 2010) | 20 lines Merged revisions 237574 via svnmerge from https://origsvn.digium.com/svn/asterisk/trunk ................ r237574 | tilghman | 2010-01-04 15:48:20 -0600 (Mon, 04 Jan 2010) | 13 lines Merged revisions 237573 via svnmerge from https://origsvn.digium.com/svn/asterisk/branches/1.4 ........ r237573 | tilghman | 2010-01-04 15:45:46 -0600 (Mon, 04 Jan 2010) | 6 lines Bounds checking for input string (closes issue ASTERISK-15286) Reported by: qwell Patches: 20100104__issue16407.diff.txt uploaded by tilghman (license 14) ........ ................ ------------------------------------------------------------------------ http://svn.digium.com/view/asterisk?view=rev&revision=237577 | ||