Merge "PJSIP XML, XPIDF: Fix buffer size overwrite memory corruption error."
This commit is contained in:
commit
785aa18a23
|
@ -17,14 +17,15 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*!
|
/*!
|
||||||
* \brief The length of the XML prolog when printing
|
* \brief Length of the XML prolog when printing presence or other XML in PJSIP.
|
||||||
* presence or other XML in PJSIP.
|
|
||||||
*
|
*
|
||||||
* When calling any variant of pj_xml_print(), the documentation
|
* When calling any variant of pj_xml_print(), the documentation
|
||||||
* claims that it will return -1 if the provided buffer is not
|
* claims that it will return -1 if the provided buffer is not
|
||||||
* large enough. However, if the XML prolog is requested to be
|
* large enough. However, if the XML prolog is requested to be
|
||||||
* printed, then the length of the XML prolog is returned upon
|
* printed and the buffer is not large enough, then it will
|
||||||
* failure instead of -1.
|
* return -1 only if the buffer is not large enough to hold the
|
||||||
|
* XML prolog or return the length of the XML prolog on failure
|
||||||
|
* instead of -1.
|
||||||
*
|
*
|
||||||
* This constant is useful to check against when trying to determine
|
* This constant is useful to check against when trying to determine
|
||||||
* if printing XML succeeded or failed.
|
* if printing XML succeeded or failed.
|
||||||
|
|
|
@ -163,14 +163,13 @@ static void dialog_info_to_string(void *body, struct ast_str **str)
|
||||||
int size;
|
int size;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str), PJ_TRUE);
|
size = pj_xml_print(dialog_info, ast_str_buffer(*str), ast_str_size(*str) - 1, PJ_TRUE);
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||||
++growths;
|
++growths;
|
||||||
}
|
}
|
||||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||||
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
|
||||||
ast_log(LOG_WARNING, "dialog-info+xml body text too large\n");
|
ast_log(LOG_WARNING, "dialog-info+xml body text too large\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -84,19 +84,18 @@ static int pidf_generate_body_content(void *body, void *data)
|
||||||
|
|
||||||
static void pidf_to_string(void *body, struct ast_str **str)
|
static void pidf_to_string(void *body, struct ast_str **str)
|
||||||
{
|
{
|
||||||
int size;
|
|
||||||
int growths = 0;
|
|
||||||
pjpidf_pres *pres = body;
|
pjpidf_pres *pres = body;
|
||||||
|
int growths = 0;
|
||||||
|
int size;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
size = pjpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
|
size = pjpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||||
++growths;
|
++growths;
|
||||||
}
|
}
|
||||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||||
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
|
||||||
ast_log(LOG_WARNING, "PIDF body text too large\n");
|
ast_log(LOG_WARNING, "PIDF body text too large\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1769,7 +1769,7 @@ static int rlmi_print_body(struct pjsip_msg_body *msg_body, char *buf, pj_size_t
|
||||||
pj_xml_node *rlmi = msg_body->data;
|
pj_xml_node *rlmi = msg_body->data;
|
||||||
|
|
||||||
num_printed = pj_xml_print(rlmi, buf, size, PJ_TRUE);
|
num_printed = pj_xml_print(rlmi, buf, size, PJ_TRUE);
|
||||||
if (num_printed == AST_PJSIP_XML_PROLOG_LEN) {
|
if (num_printed <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -106,14 +106,13 @@ static void xpidf_to_string(void *body, struct ast_str **str)
|
||||||
int size;
|
int size;
|
||||||
|
|
||||||
do {
|
do {
|
||||||
size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str));
|
size = pjxpidf_print(pres, ast_str_buffer(*str), ast_str_size(*str) - 1);
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
ast_str_make_space(str, ast_str_size(*str) * 2);
|
ast_str_make_space(str, ast_str_size(*str) * 2);
|
||||||
++growths;
|
++growths;
|
||||||
}
|
}
|
||||||
} while (size == AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
} while (size <= AST_PJSIP_XML_PROLOG_LEN && growths < MAX_STRING_GROWTHS);
|
||||||
|
if (size <= AST_PJSIP_XML_PROLOG_LEN) {
|
||||||
if (size == AST_PJSIP_XML_PROLOG_LEN) {
|
|
||||||
ast_log(LOG_WARNING, "XPIDF body text too large\n");
|
ast_log(LOG_WARNING, "XPIDF body text too large\n");
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue