From: Scott Griepentrog Date: Wed, 21 May 2014 18:58:47 +0000 (+0000) Subject: pbx.c: prevent potential crash from recursive replace() X-Git-Tag: 1.8.28.0-rc1~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1035ef957c651b1c8f74d4ce62f5b6fbacabe40a;p=thirdparty%2Fasterisk.git pbx.c: prevent potential crash from recursive replace() Recurisve usage of replace() resulted in corruption of the temporary string storage and potential crash. By changing the string to be allocated separtely per instance, this is eliminated. ASTERISK-23650 #comment Reported by: Roel van Meer ASTERISK-23650 #close Review: https://reviewboard.asterisk.org/r/3539/ git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.8@414214 65c4cc65-6c06-0410-ace0-fbb531ad65f3 --- diff --git a/funcs/func_strings.c b/funcs/func_strings.c index 767ea225b8..80e238e41c 100644 --- a/funcs/func_strings.c +++ b/funcs/func_strings.c @@ -780,7 +780,7 @@ static int replace(struct ast_channel *chan, const char *cmd, char *data, struct AST_APP_ARG(replace); ); char *strptr, *varsubst; - struct ast_str *str = ast_str_thread_get(&result_buf, 16); + RAII_VAR(struct ast_str *, str, ast_str_create(16), ast_free); char find[256]; /* Only 256 characters possible */ char replace[2] = ""; size_t unused;