check bounds - prevents for buffer overflow

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@221153 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/funcs/func_strings.c b/funcs/func_strings.c
index 68f806ff1ee6aec9e78e8498c49d14efe8b1a600..3dcca56ee7d55700e30ef361026f6037aeb5c306 100644 (file)
--- a/funcs/func_strings.c
+++ b/funcs/func_strings.c
@@ -384,6 +384,12 @@ static struct ast_custom_function sprintf_function = {
 static int quote(struct ast_channel *chan, char *cmd, char *data, char *buf, size_t len)
 {
        char *bufptr = buf, *dataptr = data;
+
+       if (len < 3){ /* at least two for quotes and one for binary zero */
+               ast_log(LOG_ERROR, "Not enough buffer");
+               return -1;
+       }
+
        if (ast_strlen_zero(data)) {
                ast_log(LOG_WARNING, "No argument specified!\n");
                ast_copy_string(buf, "\"\"", len);
@@ -391,7 +397,7 @@ static int quote(struct ast_channel *chan, char *cmd, char *data, char *buf, siz
        }
 
        *bufptr++ = '"';
-       for (; bufptr < buf + len - 1; dataptr++) {
+       for (; bufptr < buf + len - 3; dataptr++) {
                if (*dataptr == '\\') {
                        *bufptr++ = '\\';
                        *bufptr++ = '\\';