From 852e4a9471d5737f349e843a221be258965c6de5 Mon Sep 17 00:00:00 2001
From: Andrey Volk <andywolk@gmail.com>
Date: Mon, 20 Jan 2020 00:20:30 +0400
Subject: [PATCH] [mod_rayo] Fix heap use after free and a possible buffer
 overflow.

---
 src/mod/event_handlers/mod_rayo/mod_rayo.c | 2 +-
 src/mod/event_handlers/mod_rayo/srgs.c     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/mod/event_handlers/mod_rayo/mod_rayo.c b/src/mod/event_handlers/mod_rayo/mod_rayo.c
index 25ab87b975..b2e3ef2734 100644
--- a/src/mod/event_handlers/mod_rayo/mod_rayo.c
+++ b/src/mod/event_handlers/mod_rayo/mod_rayo.c
@@ -4854,7 +4854,7 @@ static int alias_api(struct rayo_cmd_alias *alias, char *args, switch_stream_han
 	cmd = strdup(alias->cmd);
 	for (i = 1; i < argc; i++) {
 		char *cmd_new;
-		char to_replace[4] = { 0 };
+		char to_replace[12] = { 0 };
 		sprintf(to_replace, "$%i", i);
 		cmd_new = switch_string_replace(cmd, to_replace, argv[i]);
 		free(cmd);
diff --git a/src/mod/event_handlers/mod_rayo/srgs.c b/src/mod/event_handlers/mod_rayo/srgs.c
index 6a3111704f..7981c24ef2 100644
--- a/src/mod/event_handlers/mod_rayo/srgs.c
+++ b/src/mod/event_handlers/mod_rayo/srgs.c
@@ -851,8 +851,8 @@ static void srgs_grammar_destroy(struct srgs_grammar *grammar)
 	if (grammar->jsgf_file_name) {
 		switch_file_remove(grammar->jsgf_file_name, pool);
 	}
-	switch_core_destroy_memory_pool(&pool);
 	switch_core_hash_destroy(&grammar->rules);
+	switch_core_destroy_memory_pool(&pool);
 }
 
 /**