Summary: | ASTERISK-20901: Security Vulnerability: Possible stack corruption in when parsing H.264 format attributes | ||||
Reporter: | Matt Jordan (mjordan) | Labels: | |||
Date Opened: | 2013-01-07 16:05:02.000-0600 | Date Closed: | 2013-03-27 10:53:57 | ||
Priority: | Critical | Regression? | No | ||
Status: | Closed/Complete | Components: | Resources/res_format_attr_h264 | ||
Versions: | 11.1.2 | Frequency of Occurrence | |||
Related Issues: |
| ||||
Environment: | Attachments: | ( 0) AST-2013-001-11.diff ( 1) h264_overflow_security_patch.diff | |||
Description: | {quote}
Hi, I just saw this in res/res_format_attr_h264.c in Asterisk 11.1.2: {code} char sps[H264_MAX_SPS_PPS_SIZE], pps[H264_MAX_SPS_PPS_SIZE]; if (sscanf(attrib, "profile-level-id=%lx", &val2) == 1) { format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF); } else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) { {code} I suspect there might be a potential buffer overflow here with a long "sprop-parameter-sets" string, but I don't really know the involved protocols well enough to check this.. What do you think? // Ulf Härnhammar {quote} Confirmed. When using sscanf, we need to length limit the strings to the length of the buffers on the stack - 1. | ||||
Comments: |