From: Alexey Khabulyak Date: Thu, 14 Aug 2025 08:21:41 +0000 (+0300) Subject: pbx_lua.c: segfault when pass null data to term_color function X-Git-Tag: 22.6.0-rc1~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b39b10731dd0bc615c86c36475aa59f11d2f92e;p=thirdparty%2Fasterisk.git pbx_lua.c: segfault when pass null data to term_color function This can be reproduced under certain curcomstences. For example: call app.playback from lua with invalid data: app.playback({}). pbx_lua.c will try to get data for this playback using lua_tostring function. This function returs NULL for everything but strings and numbers. Then, it calls term_color with NULL data. term_color function can call(if we don't use vt100 compat term) ast_copy_string with NULL inbuf which cause segfault. bt example: ast_copy_string (size=8192, src=0x0, dst=0x7fe44b4be8b0) at /usr/src/asterisk/asterisk-20.11.0/include/asterisk/strings.h:412 Resolves: https://github.com/asterisk/asterisk/issues/1363 (cherry picked from commit 1cf49aa91ba2479d6e0945527b835f300599dc64) --- diff --git a/pbx/pbx_lua.c b/pbx/pbx_lua.c index 67b4317a47..cf325a73c5 100644 --- a/pbx/pbx_lua.c +++ b/pbx/pbx_lua.c @@ -222,7 +222,7 @@ static int lua_pbx_exec(lua_State *L) exten, context, priority, term_color(tmp, app_name, COLOR_BRCYAN, 0, sizeof(tmp)), term_color(tmp2, ast_channel_name(chan), COLOR_BRMAGENTA, 0, sizeof(tmp2)), - term_color(tmp3, data, COLOR_BRMAGENTA, 0, sizeof(tmp3))); + term_color(tmp3, data ? data : "", COLOR_BRMAGENTA, 0, sizeof(tmp3))); lua_getfield(L, LUA_REGISTRYINDEX, "autoservice"); autoservice = lua_toboolean(L, -1);