[thirdparty/asterisk.git] /

From aefc5f83f7de651e3a37e7e1781bfaef46dab9c4 Mon Sep 17 00:00:00 2001
From: Ben Ford <bford@sangoma.com>
Date: Wed, 30 Nov 2022 11:28:16 -0600
Subject: [PATCH] Merge pull request from GHSA-fq45-m3f7-3mhj

* Initial patch

* Use 'pj_scan_is_eof(scanner)'

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Use 'pj_scan_is_eof(scanner)'

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Use 'pj_scan_is_eof(scanner)'

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Use `!pj_scan_is_eof` instead of manually checking `scanner->curptr < scanner->end`

Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>

* Update pjlib-util/src/pjlib-util/scanner.c

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Update pjlib-util/src/pjlib-util/scanner.c

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Update pjlib-util/src/pjlib-util/scanner.c

Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>

* Revert '>=' back to '>' in pj_scan_stricmp_alnum()

* Fix error compiles.

Co-authered-by: sauwming <ming@teluu.com>
Co-authored-by: Nanang Izzuddin <nanang@teluu.com>
Co-authored-by: Aaron Lichtman <aaronlichtman@gmail.com>
Co-authored-by: Maksim Mukosey <mmukosey@gmail.com>
---
 pjlib-util/src/pjlib-util/scanner.c | 41 +++++++++++++++++++----------
 pjmedia/src/pjmedia/rtp.c           | 11 +++++---
 pjmedia/src/pjmedia/sdp.c           | 24 ++++++++++-------
 3 files changed, 48 insertions(+), 28 deletions(-)

diff --git a/pjlib-util/src/pjlib-util/scanner.c b/pjlib-util/src/pjlib-util/scanner.c
index c18b74c55..ea27bbec9 100644
--- a/pjlib-util/src/pjlib-util/scanner.c
+++ b/pjlib-util/src/pjlib-util/scanner.c
@@ -195,7 +195,13 @@ PJ_DEF(void) pj_scan_skip_whitespace( pj_scanner *scanner )
 
 PJ_DEF(void) pj_scan_skip_line( pj_scanner *scanner )
 {
-    char *s = pj_ansi_strchr(scanner->curptr, '\n');
+    char *s;
+
+    if (pj_scan_is_eof(scanner)) {
+        return;
+    }
+
+    s = pj_memchr(scanner->curptr, '\n', scanner->end - scanner->curptr);
     if (!s) {
        scanner->curptr = scanner->end;
     } else {
@@ -264,8 +270,7 @@ PJ_DEF(void) pj_scan_get( pj_scanner *scanner,
 
     pj_assert(pj_cis_match(spec,0)==0);
 
-    /* EOF is detected implicitly */
-    if (!pj_cis_match(spec, *s)) {
+    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s)) {
        pj_scan_syntax_err(scanner);
        return;
     }
@@ -299,8 +304,7 @@ PJ_DEF(void) pj_scan_get_unescape( pj_scanner *scanner,
     /* Must not match character '%' */
     pj_assert(pj_cis_match(spec,'%')==0);
 
-    /* EOF is detected implicitly */
-    if (!pj_cis_match(spec, *s) && *s != '%') {
+    if (pj_scan_is_eof(scanner) || !pj_cis_match(spec, *s) && *s != '%') {
        pj_scan_syntax_err(scanner);
        return;
     }
@@ -436,7 +440,9 @@ PJ_DEF(void) pj_scan_get_n( pj_scanner *scanner,
     
     scanner->curptr += N;
 
-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws) {
+    if (!pj_scan_is_eof(scanner) &&
+       PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && scanner->skip_ws)
+    {
        pj_scan_skip_whitespace(scanner);
     }
 }
@@ -462,15 +468,16 @@ PJ_DEF(int) pj_scan_get_char( pj_scanner *scanner )
 
 PJ_DEF(void) pj_scan_get_newline( pj_scanner *scanner )
 {
-    if (!PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
+    if (pj_scan_is_eof(scanner) || !PJ_SCAN_IS_NEWLINE(*scanner->curptr)) {
        pj_scan_syntax_err(scanner);
        return;
     }
 
+    /* We have checked scanner->curptr validity above */
     if (*scanner->curptr == '\r') {
        ++scanner->curptr;
     }
-    if (*scanner->curptr == '\n') {
+    if (!pj_scan_is_eof(scanner) && *scanner->curptr == '\n') {
        ++scanner->curptr;
     }
 
@@ -515,7 +522,9 @@ PJ_DEF(void) pj_scan_get_until( pj_scanner *scanner,
 
     scanner->curptr = s;
 
-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
+    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
+       scanner->skip_ws)
+    {
        pj_scan_skip_whitespace(scanner);
     }
 }
@@ -539,7 +548,9 @@ PJ_DEF(void) pj_scan_get_until_ch( pj_scanner *scanner,
 
     scanner->curptr = s;
 
-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
+    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
+       scanner->skip_ws)
+    {
        pj_scan_skip_whitespace(scanner);
     }
 }
@@ -565,7 +576,9 @@ PJ_DEF(void) pj_scan_get_until_chr( pj_scanner *scanner,
 
     scanner->curptr = s;
 
-    if (PJ_SCAN_IS_PROBABLY_SPACE(*s) && scanner->skip_ws) {
+    if (!pj_scan_is_eof(scanner) && PJ_SCAN_IS_PROBABLY_SPACE(*s) &&
+       scanner->skip_ws)
+    {
        pj_scan_skip_whitespace(scanner);
     }
 }
@@ -580,7 +593,9 @@ PJ_DEF(void) pj_scan_advance_n( pj_scanner *scanner,
 
     scanner->curptr += N;
 
-    if (PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws) {
+    if (!pj_scan_is_eof(scanner) && 
+       PJ_SCAN_IS_PROBABLY_SPACE(*scanner->curptr) && skip_ws)
+    {
        pj_scan_skip_whitespace(scanner);
     }
 }
@@ -631,5 +646,3 @@ PJ_DEF(void) pj_scan_restore_state( pj_scanner *scanner,
     scanner->line = state->line;
     scanner->start_line = state->start_line;
 }
-
-
diff --git a/pjmedia/src/pjmedia/rtp.c b/pjmedia/src/pjmedia/rtp.c
index 6c571010c..c987cd0ad 100644
--- a/pjmedia/src/pjmedia/rtp.c
+++ b/pjmedia/src/pjmedia/rtp.c
@@ -183,6 +183,11 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
     /* Payload is located right after header plus CSRC */
     offset = sizeof(pjmedia_rtp_hdr) + ((*hdr)->cc * sizeof(pj_uint32_t));
 
+    /* Check that offset is less than packet size */
+    if (offset >= pkt_len) {
+        return PJMEDIA_RTP_EINLEN;
+    }
+
     /* Decode RTP extension. */
     if ((*hdr)->x) {
         dec_hdr->ext_hdr = (pjmedia_rtp_ext_hdr*)(((pj_uint8_t*)pkt) + offset);
@@ -195,8 +200,8 @@ PJ_DEF(pj_status_t) pjmedia_rtp_decode_rtp2(
        dec_hdr->ext_len = 0;
     }
 
-    /* Check that offset is less than packet size */
-    if (offset > pkt_len)
+    /* Check again that offset is still less than packet size */
+    if (offset >= pkt_len)
        return PJMEDIA_RTP_EINLEN;
 
     /* Find and set payload. */
@@ -386,5 +391,3 @@ void pjmedia_rtp_seq_update( pjmedia_rtp_seq_session *sess,
        seq_status->status.value = st.status.value;
     }
 }
-
-
diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
index c443d863f..f27a1a84f 100644
--- a/pjmedia/src/pjmedia/sdp.c
+++ b/pjmedia/src/pjmedia/sdp.c
@@ -967,13 +967,13 @@ static void parse_version(pj_scanner *scanner, parse_context *ctx)
     ctx->last_error = PJMEDIA_SDP_EINVER;
 
     /* check equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return;
     }
 
     /* check version is 0 */
-    if (*(scanner->curptr+2) != '0') {
+    if (scanner->curptr+2 >= scanner->end || *(scanner->curptr+2) != '0') {
        on_scanner_error(scanner);
        return;
     }
@@ -990,7 +990,7 @@ static void parse_origin(pj_scanner *scanner, pjmedia_sdp_session *ses,
     ctx->last_error = PJMEDIA_SDP_EINORIGIN;
 
     /* check equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return;
     }
@@ -1036,7 +1036,7 @@ static void parse_time(pj_scanner *scanner, pjmedia_sdp_session *ses,
     ctx->last_error = PJMEDIA_SDP_EINTIME;
 
     /* check equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return;
     }
@@ -1064,7 +1064,7 @@ static void parse_generic_line(pj_scanner *scanner, pj_str_t *str,
     ctx->last_error = PJMEDIA_SDP_EINSDP;
 
     /* check equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if ((scanner->curptr+1 >= scanner->end) || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return;
     }
@@ -1133,7 +1133,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
     ctx->last_error = PJMEDIA_SDP_EINMEDIA;
 
     /* check the equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return;
     }
@@ -1148,6 +1148,10 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
     /* port */
     pj_scan_get(scanner, &cs_token, &str);
     med->desc.port = (unsigned short)pj_strtoul(&str);
+    if (pj_scan_is_eof(scanner)) {
+        on_scanner_error(scanner);
+        return;
+    }
     if (*scanner->curptr == '/') {
        /* port count */
        pj_scan_get_char(scanner);
@@ -1159,7 +1163,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
     }
 
     if (pj_scan_get_char(scanner) != ' ') {
-       PJ_THROW(SYNTAX_ERROR);
+       on_scanner_error(scanner);
     }
 
     /* transport */
@@ -1167,7 +1171,7 @@ static void parse_media(pj_scanner *scanner, pjmedia_sdp_media *med,
 
     /* format list */
     med->desc.fmt_count = 0;
-    while (*scanner->curptr == ' ') {
+    while (scanner->curptr < scanner->end && *scanner->curptr == ' ') {
        pj_str_t fmt;
 
        pj_scan_get_char(scanner);
@@ -1207,7 +1211,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
     attr = PJ_POOL_ALLOC_T(pool, pjmedia_sdp_attr);
 
     /* check equal sign */
-    if (*(scanner->curptr+1) != '=') {
+    if (scanner->curptr+1 >= scanner->end || *(scanner->curptr+1) != '=') {
        on_scanner_error(scanner);
        return NULL;
     }
@@ -1226,7 +1230,7 @@ static pjmedia_sdp_attr *parse_attr( pj_pool_t *pool, pj_scanner *scanner,
            pj_scan_get_char(scanner);
 
        /* get value */
-       if (*scanner->curptr != '\r' && *scanner->curptr != '\n') {
+       if (!pj_scan_is_eof(scanner) && *scanner->curptr != '\r' && *scanner->curptr != '\n') {
            pj_scan_get_until_chr(scanner, "\r\n", &attr->value);
        } else {
            attr->value.ptr = NULL;
-- 
2.25.1