[Freeswitch-svn] [commit] r9236 - freeswitch/trunk/src

Freeswitch SVN anthm at freeswitch.org
Mon Aug 11 11:37:51 EDT 2008 

Author: anthm
Date: Mon Aug 11 11:37:50 2008
New Revision: 9236

Modified:
   freeswitch/trunk/src/switch_channel.c
   freeswitch/trunk/src/switch_event.c

Log:
fix out-of-bounds pointer in variable expansion detected by MSCV (thanks for nothing linux) FSCORE-171

Modified: freeswitch/trunk/src/switch_channel.c
==============================================================================
--- freeswitch/trunk/src/switch_channel.c	(original)
+++ freeswitch/trunk/src/switch_channel.c	Mon Aug 11 11:37:50 2008
@@ -1598,7 +1598,7 @@
 SWITCH_DECLARE(char *) switch_channel_expand_variables(switch_channel_t *channel, const char *in)
 {
 	char *p, *c = NULL;
-	char *data, *indup;
+	char *data, *indup, *endof_indup;
 	size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
 	const char *q;
 	char *cloned_sub_val = NULL, *sub_val = NULL;
@@ -1632,11 +1632,12 @@
 	nv = 0;
 	olen = strlen(in) + 1;
 	indup = strdup(in);
+	endof_indup = end_of_p(indup);
 
 	if ((data = malloc(olen))) {
 		memset(data, 0, olen);
 		c = data;
-		for (p = indup; p && *p; p++) {
+		for (p = indup; p && p < endof_indup && *p; p++) {
 			vtype = 0;
 
 			if (*p == '\\') {
@@ -1699,7 +1700,7 @@
 
 					e++;
 				}
-				p = e;
+				p = e > endof_indup ? endof_indup : e;
 
 				if ((vval = strchr(vname, '('))) {
 					e = vval - 1;

Modified: freeswitch/trunk/src/switch_event.c
==============================================================================
--- freeswitch/trunk/src/switch_event.c	(original)
+++ freeswitch/trunk/src/switch_event.c	Mon Aug 11 11:37:50 2008
@@ -1190,7 +1190,7 @@
 SWITCH_DECLARE(char *) switch_event_expand_headers(switch_event_t *event, const char *in)
 {
 	char *p, *c = NULL;
-	char *data, *indup;
+	char *data, *indup, *endof_indup;
 	size_t sp = 0, len = 0, olen = 0, vtype = 0, br = 0, cpos, block = 128;
 	const char *q, *sub_val = NULL;
 	char *cloned_sub_val = NULL;
@@ -1219,11 +1219,12 @@
 	nv = 0;
 	olen = strlen(in) + 1;
 	indup = strdup(in);
+	endof_indup = end_of_p(indup);
 
 	if ((data = malloc(olen))) {
 		memset(data, 0, olen);
 		c = data;
-		for (p = indup; p && *p; p++) {
+		for (p = indup; p && p < endof_indup && *p; p++) {
 			vtype = 0;
 
 			if (*p == '\\') {
@@ -1286,7 +1287,7 @@
 
 					e++;
 				}
-				p = e;
+				p = e > endof_indup ? endof_indup : e;
 
 				if ((vval = strchr(vname, '('))) {
 					e = vval - 1;

More information about the Freeswitch-svn mailing list