Merge "PJSIP XML, XPIDF: Fix buffer size overwrite memory corruption error."
This commit is contained in:
commit
785aa18a23
|
@ -17,14 +17,15 @@
|
|||
*/
|
||||
|
||||
/*!
|
||||
* \brief The length of the XML prolog when printing
|
||||
* presence or other XML in PJSIP.
|
||||
* \brief Length of the XML prolog when printing presence or other XML in PJSIP.
|
||||
*
|
||||
* When calling any variant of pj_xml_print(), the documentation
|
||||
* claims that it will return -1 if the provided buffer is not
|
||||
* large enough. However, if the XML prolog is requested to be
|
||||
* printed, then the length of the XML prolog is returned upon
|
||||
* failure instead of -1.
|
||||
* printed and the buffer is not large enough, then it will
|
||||
* return -1 only if the buffer is not large enough to hold the
|
||||
* XML prolog or return the length of the XML prolog on failure
|
||||
* instead of -1.
|
||||
*
|
||||
* This constant is useful to check against when trying to determine
|
||||
* if printing XML succeeded or failed.
|
||||
|
|
|
@ -163,14 +163,13 @@ static void dialog_info_to_string(void *body, struct ast_str **str)
|
|||
int size;
|
||||
|
||||
do {
|
||||
size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str), PJ_TRUE);
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str) - 1, PJ_TRUE);
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||
++growths;
|
||||
}
|
||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_log(LOG_WARNING, "dialog-info+xml body text too large\n");
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -84,19 +84,18 @@ static int pidf_generate_body_content(void *body, void *data)
|
|||
|
||||
static void pidf_to_string(void *body, struct ast_str **str)
|
||||
{
|
||||
int size;
|
||||
int growths = 0;
|
||||
pjpidf_pres *pres = body;
|
||||
int growths = 0;
|
||||
int size;
|
||||
|
||||
do {
|
||||
size = pjpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||
++growths;
|
||||
}
|
||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_log(LOG_WARNING, "PIDF body text too large\n");
|
||||
return;
|
||||
}
|
||||
|
|
|
@ -1769,7 +1769,7 @@ static int rlmi_print_body(struct pjsip_msg_body *msg_body, char *buf, pj_size_t
|
|||
pj_xml_node *rlmi = msg_body->data;
|
||||
|
||||
num_printed = pj_xml_print(rlmi, buf, size, PJ_TRUE);
|
||||
if (num_printed == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
if (num_printed <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
|
|
@ -106,14 +106,13 @@ static void xpidf_to_string(void *body, struct ast_str **str)
|
|||
int size;
|
||||
|
||||
do {
|
||||
size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str));
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||
++growths;
|
||||
}
|
||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
|
||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
||||
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||
ast_log(LOG_WARNING, "XPIDF body text too large\n");
|
||||
return;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue