A slightly mroe elegant an commented fix for the potential overflow issue in udptl.c

author Steve Underwood <steveu@coppice.org>

Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)

committer Steve Underwood <steveu@coppice.org>

Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)
author Steve Underwood <steveu@coppice.org>
Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)
committer Steve Underwood <steveu@coppice.org>
Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)
diff --git a/src/mod/applications/mod_spandsp/udptl.c b/src/mod/applications/mod_spandsp/udptl.c

index 874c30b6867af1f14b4679c91ef56a2a1f99a591..6644a6ed7492856e2fdb317df41e405d6358e91d 100644 (file)
--- a/src/mod/applications/mod_spandsp/udptl.c
+++ b/src/mod/applications/mod_spandsp/udptl.c
@@ -222,10 +222,12 @@ int udptl_rx_packet(udptl_state_t *s, const uint8_t buf[], int len)
                 do {
                         if ((stat = decode_length(buf, len, &ptr, &count)) < 0)
                                 return -1;
+                       if ((total_count + count) >= 16) {
+                               /* There is too much stuff here to be real, and it would overflow the bufs array
+                                  if we continue */
+                               return -1;
+                       }
                         for (i = 0; i < count; i++) {
-                               if (total_count + i >= 16) {
-                                       return -1;
-                               }
                                 if (decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i]) != 0)
                                         return -1;
                         }
author	Steve Underwood <steveu@coppice.org>
	Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)
committer	Steve Underwood <steveu@coppice.org>
	Tue, 12 May 2015 04:00:04 +0000 (12:00 +0800)