From: Anthony Minessale <anthm@freeswitch.org>
Date: Thu, 11 May 2017 18:22:45 +0000 (-0500)
Subject: FS-10307: [freeswitch-core] Repetitive verto re-attach with video only channels can... 
X-Git-Tag: v1.8.0~517
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db2486919d44bc5faff0759f7eecc39ff71967a2;p=thirdparty%2Ffreeswitch.git

FS-10307: [freeswitch-core] Repetitive verto re-attach with video only channels can cause a buffer overflow #resolve
---

diff --git a/src/switch_core_media.c b/src/switch_core_media.c
index b4c3578986..a465a43b55 100644
--- a/src/switch_core_media.c
+++ b/src/switch_core_media.c
@@ -4403,6 +4403,9 @@ SWITCH_DECLARE(uint8_t) switch_core_media_negotiate_sdp(switch_core_session_t *s
 	v_engine = &smh->engines[SWITCH_MEDIA_TYPE_VIDEO];
 	t_engine = &smh->engines[SWITCH_MEDIA_TYPE_TEXT];
 
+	smh->mparams->num_codecs = 0;
+	smh->num_negotiated_codecs = 0;
+	switch_core_media_prepare_codecs(session, SWITCH_TRUE);
 	codec_array = smh->codecs;
 	total_codecs = smh->mparams->num_codecs;
 
@@ -4925,13 +4928,6 @@ SWITCH_DECLARE(uint8_t) switch_core_media_negotiate_sdp(switch_core_session_t *s
 			}
 
 
-			smh->mparams->num_codecs = 0;
-			smh->num_negotiated_codecs = 0;
-			switch_core_media_prepare_codecs(session, SWITCH_TRUE);
-			codec_array = smh->codecs;
-			total_codecs = smh->mparams->num_codecs;
-
-
 			if (switch_rtp_has_dtls() && dtls_ok(session)) {
 				for (attr = m->m_attributes; attr; attr = attr->a_next) {
 
@@ -5243,7 +5239,7 @@ SWITCH_DECLARE(uint8_t) switch_core_media_negotiate_sdp(switch_core_session_t *s
 				match = 1;
 				a_engine->codec_negotiated = 1;
 
-				for(j = 0; j < m_idx; j++) {
+				for(j = 0; j < m_idx && smh->num_negotiated_codecs < SWITCH_MAX_CODECS; j++) {
 					payload_map_t *pmap = switch_core_media_add_payload_map(session,
 																			SWITCH_MEDIA_TYPE_AUDIO,
 																			matches[j].map->rm_encoding,
@@ -5785,7 +5781,7 @@ SWITCH_DECLARE(uint8_t) switch_core_media_negotiate_sdp(switch_core_session_t *s
 				vmatch = 1;
 				v_engine->codec_negotiated = 1;
 
-				for(j = 0; j < m_idx; j++) {
+				for(j = 0; j < m_idx && smh->num_negotiated_codecs < SWITCH_MAX_CODECS; j++) {
 					payload_map_t *pmap = switch_core_media_add_payload_map(session,
 																			SWITCH_MEDIA_TYPE_VIDEO,
 																			matches[j].map->rm_encoding,