From: Steve Underwood <steveu@coppice.org>
Date: Tue, 12 May 2015 04:00:04 +0000 (+0800)
Subject: A slightly mroe elegant an commented fix for the potential overflow issue in udptl.c
X-Git-Tag: v1.4.19~6^2~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b156cbd604fbb879d9d987c0581bab2e7dbe6dfb;p=thirdparty%2Ffreeswitch.git

A slightly mroe elegant an commented fix for the potential overflow issue in udptl.c
---

diff --git a/src/mod/applications/mod_spandsp/udptl.c b/src/mod/applications/mod_spandsp/udptl.c
index 874c30b686..6644a6ed74 100644
--- a/src/mod/applications/mod_spandsp/udptl.c
+++ b/src/mod/applications/mod_spandsp/udptl.c
@@ -222,10 +222,12 @@ int udptl_rx_packet(udptl_state_t *s, const uint8_t buf[], int len)
 		do {
 			if ((stat = decode_length(buf, len, &ptr, &count)) < 0)
 				return -1;
+			if ((total_count + count) >= 16) {
+				/* There is too much stuff here to be real, and it would overflow the bufs array
+				   if we continue */
+				return -1;
+			}
 			for (i = 0; i < count; i++) {
-				if (total_count + i >= 16) {
-					return -1;
-				}
 				if (decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i]) != 0)
 					return -1;
 			}