Merge "PJSIP XML, XPIDF: Fix buffer size overwrite memory corruption error."

include/asterisk/res_pjsip_presence_xml.h

@@ -17,14 +17,15 @@
  */
 
 /*!
- * \brief The length of the XML prolog when printing
- * presence or other XML in PJSIP.
+ * \brief Length of the XML prolog when printing presence or other XML in PJSIP.
  *
  * When calling any variant of pj_xml_print(), the documentation
  * claims that it will return -1 if the provided buffer is not
  * large enough. However, if the XML prolog is requested to be
- * printed, then the length of the XML prolog is returned upon
- * failure instead of -1.
+ * printed and the buffer is not large enough, then it will
+ * return -1 only if the buffer is not large enough to hold the
+ * XML prolog or return the length of the XML prolog on failure
+ * instead of -1.
  *
  * This constant is useful to check against when trying to determine
  * if printing XML succeeded or failed.

res/res_pjsip_dialog_info_body_generator.c

@@ -163,14 +163,13 @@ static void dialog_info_to_string(void *body, struct ast_str **str)
 	int size;
 
 	do {
-		size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str), PJ_TRUE);
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str) - 1, PJ_TRUE);
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
-	if (size == AST_PJSIP_XML_PROLOG_LEN) {
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "dialog-info+xml body text too large\n");
 		return;
 	}

res/res_pjsip_pidf_body_generator.c

@@ -84,19 +84,18 @@ static int pidf_generate_body_content(void *body, void *data)
 
 static void pidf_to_string(void *body, struct ast_str **str)
 {
-	int size;
-	int growths = 0;
 	pjpidf_pres *pres = body;
+	int growths = 0;
+	int size;
 
 	do {
 		size = pjpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
-	if (size == AST_PJSIP_XML_PROLOG_LEN) {
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "PIDF body text too large\n");
 		return;
 	}

res/res_pjsip_pubsub.c

@@ -1769,7 +1769,7 @@ static int rlmi_print_body(struct pjsip_msg_body *msg_body, char *buf, pj_size_t
 	pj_xml_node *rlmi = msg_body->data;
 
 	num_printed = pj_xml_print(rlmi, buf, size, PJ_TRUE);
-	if (num_printed == AST_PJSIP_XML_PROLOG_LEN) {
+	if (num_printed <= AST_PJSIP_XML_PROLOG_LEN) {
 		return -1;
 	}
 

res/res_pjsip_xpidf_body_generator.c

@@ -106,14 +106,13 @@ static void xpidf_to_string(void *body, struct ast_str **str)
 	int size;
 
 	do {
-		size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str));
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
-	if (size == AST_PJSIP_XML_PROLOG_LEN) {
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "XPIDF body text too large\n");
 		return;
 	}