Merge "PJSIP XML, XPIDF: Fix buffer size overwrite memory corruption error."

2015-07-07 17:39:07 -05:00 · 2015-07-07 17:39:07 -05:00 · 785aa18a23
parent d173d9692a 7cd99be534
commit 785aa18a23
5 changed files with 19 additions and 21 deletions
--- a/include/asterisk/res_pjsip_presence_xml.h
+++ b/include/asterisk/res_pjsip_presence_xml.h
@ -17,14 +17,15 @@
 */
 /*!
- * \brief The length of the XML prolog when printing
+ * \brief Length of the XML prolog when printing presence or other XML in PJSIP.
 * presence or other XML in PJSIP.
 *
 * When calling any variant of pj_xml_print(), the documentation
 * claims that it will return -1 if the provided buffer is not
 * large enough. However, if the XML prolog is requested to be
- * printed, then the length of the XML prolog is returned upon
+ * printed and the buffer is not large enough, then it will
- * failure instead of -1.
+ * return -1 only if the buffer is not large enough to hold the
 * XML prolog or return the length of the XML prolog on failure
 * instead of -1.
 *
 * This constant is useful to check against when trying to determine
 * if printing XML succeeded or failed.
--- a/res/res_pjsip_dialog_info_body_generator.c
+++ b/res/res_pjsip_dialog_info_body_generator.c
@ -163,14 +163,13 @@ static void dialog_info_to_string(void *body, struct ast_str **str)
 	int size;
 	do {
-		size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str), PJ_TRUE);
+		size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str) - 1, PJ_TRUE);
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 	if (size == AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "dialog-info+xml body text too large\n");
 		return;
 	}
--- a/res/res_pjsip_pidf_body_generator.c
+++ b/res/res_pjsip_pidf_body_generator.c
@ -84,19 +84,18 @@ static int pidf_generate_body_content(void *body, void *data)
 static void pidf_to_string(void *body, struct ast_str **str)
 {
 	int size;
 	int growths = 0;
 	pjpidf_pres *pres = body;
 	int growths = 0;
 	int size;
 	do {
 		size = pjpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 	if (size == AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "PIDF body text too large\n");
 		return;
 	}
--- a/res/res_pjsip_pubsub.c
+++ b/res/res_pjsip_pubsub.c
@ -1769,7 +1769,7 @@ static int rlmi_print_body(struct pjsip_msg_body *msg_body, char *buf, pj_size_t
 	pj_xml_node *rlmi = msg_body->data;
 	num_printed = pj_xml_print(rlmi, buf, size, PJ_TRUE);
-	if (num_printed == AST_PJSIP_XML_PROLOG_LEN) {
+	if (num_printed <= AST_PJSIP_XML_PROLOG_LEN) {
 		return -1;
 	}
--- a/res/res_pjsip_xpidf_body_generator.c
+++ b/res/res_pjsip_xpidf_body_generator.c
@ -106,14 +106,13 @@ static void xpidf_to_string(void *body, struct ast_str **str)
 	int size;
 	do {
-		size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str));
+		size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
-		if (size == AST_PJSIP_XML_PROLOG_LEN) {
+		if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 			ast_str_make_space(str, ast_str_size(*str) * 2);
 			++growths;
 		}
-	} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
+	} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
-
+	if (size <= AST_PJSIP_XML_PROLOG_LEN) {
 	if (size == AST_PJSIP_XML_PROLOG_LEN) {
 		ast_log(LOG_WARNING, "XPIDF body text too large\n");
 		return;
 	}