Bounds checking for input string

(closes issue #16407)
 Reported by: qwell
 Patches:
       20100104__issue16407.diff.txt uploaded by tilghman (license 14)

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@237573 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/say.c b/main/say.c
index 507c3c3e2f6cd0e44de1878530219a9d534c7171..064366022ee088208029dadfe891a530c40567a9 100644 (file)
--- a/main/say.c
+++ b/main/say.c
@@ -3253,9 +3253,9 @@ int ast_say_date_with_format_en(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -3501,9 +3501,9 @@ int ast_say_date_with_format_da(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -3706,9 +3706,9 @@ int ast_say_date_with_format_de(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -3938,9 +3938,9 @@ int ast_say_date_with_format_he(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -4093,9 +4093,9 @@ int ast_say_date_with_format_es(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                snprintf(nextmsg,sizeof(nextmsg), "%s", sndfile);
                                res = wait_file(chan,ints,nextmsg,lang);
@@ -4285,9 +4285,9 @@ int ast_say_date_with_format_fr(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -4483,9 +4483,9 @@ int ast_say_date_with_format_it(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
-                               sndfile[sndoffset] = format[offset];
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
+                                       sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -4716,9 +4716,9 @@ int ast_say_date_with_format_nl(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -4922,9 +4922,9 @@ int ast_say_date_with_format_pl(struct ast_channel *chan, time_t thetime, const
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset = 0;
-                               for (sndoffset = 0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan, ints, sndfile, lang);
                                break;
@@ -5140,9 +5140,9 @@ int ast_say_date_with_format_pt(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                snprintf(nextmsg,sizeof(nextmsg), "%s", sndfile);
                                res = wait_file(chan,ints,nextmsg,lang);
@@ -5430,9 +5430,9 @@ int ast_say_date_with_format_zh(struct ast_channel *chan, time_t time, const cha
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                        case '\'':
                                /* Literal name of a sound file */
-                               sndoffset=0;
-                               for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                               for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                        sndfile[sndoffset] = format[offset];
+                               }
                                sndfile[sndoffset] = '\0';
                                res = wait_file(chan,ints,sndfile,lang);
                                break;
@@ -6807,9 +6807,9 @@ static int ast_say_date_with_format_gr(struct ast_channel *chan, time_t time, co
                        /* NOTE:  if you add more options here, please try to be consistent with strftime(3) */
                case '\'':
                        /* Literal name of a sound file */
-                       sndoffset=0;
-                       for (sndoffset=0 ; (format[++offset] != '\'') && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++)
+                       for (sndoffset = 0; !strchr("\'\0", format[++offset]) && (sndoffset < sizeof(sndfile) - 1) ; sndoffset++) {
                                sndfile[sndoffset] = format[offset];
+                       }
                        sndfile[sndoffset] = '\0';
                        res = wait_file(chan,ints,sndfile,lang);
                        break;