Fix crash with invalid frame data

The crash was happening as a result of a frame containing an invalid data
pointer, but was set with data length of zero. The few times the issue was
reproduced it _seemed_ that the frame was queued properly, that is the data
pointer was set to NULL. I never could reproduce the crash so as a last resort
the crash has been fixed, but a check in __ast_read has been added to give as
much information about the source of problematic frames in the future.

(closes issue #16058)
Reported by: atis

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@231911 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/channel.c b/main/channel.c
index 61a5a36088f480925f33e5e4671aa7d3010a2f4f..dfd1062aca8735a5365ffca43e324b93070941fc 100644 (file)
--- a/main/channel.c
+++ b/main/channel.c
@@ -2513,6 +2513,17 @@ static struct ast_frame *__ast_read(struct ast_channel *chan, int dropaudio)
                ast_frame_dump(chan->name, f, "<<");
        chan->fin = FRAMECOUNT_INC(chan->fin);
 
+       if (f && f->datalen == 0 && f->data) {
+               /* fix invalid pointer */
+               f->data = NULL;
+#ifdef AST_DEVMODE
+               ast_log(LOG_ERROR, "Found frame with src '%s' with datalen zero, but non-null data pointer!\n", f->src);
+               ast_frame_dump(chan->name, f, "<<");
+#else
+               ast_debug(3, "Found frame with src '%s' on channel '%s' with datalen zero, but non-null data pointer!\n", f->src, chan->name);
+#endif
+       }
+
 done:
        ast_channel_unlock(chan);
        return f;