From: Matthias Nick <mnick@digium.com>
Date: Wed, 30 Sep 2009 15:37:39 +0000 (+0000)
Subject: check bounds - prevents for buffer overflow
X-Git-Tag: 1.4.27-rc2~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e66c485660a3ae9177b46b2328f04980ac405247;p=thirdparty%2Fasterisk.git

check bounds - prevents for buffer overflow


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@221153 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/funcs/func_strings.c b/funcs/func_strings.c
index 68f806ff1e..3dcca56ee7 100644
--- a/funcs/func_strings.c
+++ b/funcs/func_strings.c
@@ -384,6 +384,12 @@ static struct ast_custom_function sprintf_function = {
 static int quote(struct ast_channel *chan, char *cmd, char *data, char *buf, size_t len)
 {
 	char *bufptr = buf, *dataptr = data;
+
+	if (len < 3){ /* at least two for quotes and one for binary zero */
+		ast_log(LOG_ERROR, "Not enough buffer");
+		return -1;
+	}
+
 	if (ast_strlen_zero(data)) {
 		ast_log(LOG_WARNING, "No argument specified!\n");
 		ast_copy_string(buf, "\"\"", len);
@@ -391,7 +397,7 @@ static int quote(struct ast_channel *chan, char *cmd, char *data, char *buf, siz
 	}
 
 	*bufptr++ = '"';
-	for (; bufptr < buf + len - 1; dataptr++) {
+	for (; bufptr < buf + len - 3; dataptr++) {
 		if (*dataptr == '\\') {
 			*bufptr++ = '\\';
 			*bufptr++ = '\\';