add better bounds checking in dtmf_accepting array to avoid buffer overrun in mod_voi...

diff --git a/src/mod/applications/mod_voicemail_ivr/ivr.c b/src/mod/applications/mod_voicemail_ivr/ivr.c
index a2b0af2d9e015e4938ec02b9df995bf67fdac2d9..83ed4e5bbb85cf0a70531571dedc8488e2459ff1 100644 (file)
--- a/src/mod/applications/mod_voicemail_ivr/ivr.c
+++ b/src/mod/applications/mod_voicemail_ivr/ivr.c
@@ -41,10 +41,10 @@ static int match_dtmf(switch_core_session_t *session, ivre_data_t *loc) {
        loc->completeMatch = NULL;
        loc->potentialMatchCount = 0;
 
-       for (i = 0; i < loc->dtmf_received; i++) {
+       for (i = 0; i < 16 && i < loc->dtmf_received; i++) {
                int j;
                loc->potentialMatchCount = 0;
-               for (j = 0; !zstr(loc->dtmf_accepted[j]) && j < 128; j++) {
+               for (j = 0; j < 128 && !zstr(loc->dtmf_accepted[j]); j++) {
                        switch_bool_t cMatch = SWITCH_FALSE;
                        char test[2] = { 0 };
 

diff --git a/src/mod/applications/mod_voicemail_ivr/ivr.h b/src/mod/applications/mod_voicemail_ivr/ivr.h
index b2ad3d1ad4e4f73e117b04b508147637a3b7a29f..cca9c246589813dab87848b14ddb6e78ab29f7fc 100644 (file)
--- a/src/mod/applications/mod_voicemail_ivr/ivr.h
+++ b/src/mod/applications/mod_voicemail_ivr/ivr.h
@@ -36,7 +36,7 @@
 struct ivre_data {
        char dtmf_stored[128];
        int dtmf_received;
-       char dtmf_accepted[16][128];
+       char dtmf_accepted[128][16];
        int result;
        switch_bool_t audio_stopped;
        switch_bool_t recorded_audio;