From 28da36e3e004b37584acaa28e99c674bfa39842a Mon Sep 17 00:00:00 2001
From: Thomas Weber <thomas.wt.weber@atos.net>
Date: Tue, 19 Jan 2016 14:50:38 +0100
Subject: [PATCH] Buffer overflow in switch_channel_expand_variables_check and
 switch_event_expand_headers_check fixed (FS-8757)

---
 src/switch_channel.c | 19 ++++++++++++++++---
 src/switch_event.c   | 19 ++++++++++++++++---
 2 files changed, 32 insertions(+), 6 deletions(-)

diff --git a/src/switch_channel.c b/src/switch_channel.c
index b9aa1d71fc..68130b230e 100644
--- a/src/switch_channel.c
+++ b/src/switch_channel.c
@@ -3825,6 +3825,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 					p++;
 					continue;
 				} else if (*(p + 1) == '\\') {
+					if (len + 1 >= olen) {
+						resize(1);
+					}
+
 					*c++ = *p++;
 					len++;
 					continue;
@@ -3850,6 +3854,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 			}
 
 			if (nv) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 				nv = 0;
@@ -4045,11 +4053,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 				vname = NULL;
 				br = 0;
 			}
-			if (len + 1 >= olen) {
-				resize(1);
-			}
 
 			if (sp) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = ' ';
 				sp = 0;
 				len++;
@@ -4058,6 +4067,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 			if (*p == '$') {
 				p--;
 			} else {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 			}
diff --git a/src/switch_event.c b/src/switch_event.c
index fea4d0691f..ff0d272fc4 100644
--- a/src/switch_event.c
+++ b/src/switch_event.c
@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 					p++;
 					continue;
 				} else if (*(p + 1) == '\\') {
+					if (len + 1 >= olen) {
+						resize(1);
+					}
+
 					*c++ = *p++;
 					len++;
 					continue;
@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 			}
 
 			if (nv) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 				nv = 0;
@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 				vtype = 0;
 				br = 0;
 			}
-			if (len + 1 >= olen) {
-				resize(1);
-			}
 
 			if (sp) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = ' ';
 				sp = 0;
 				len++;
@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 			if (*p == '$') {
 				p--;
 			} else {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 			}