From b156cbd604fbb879d9d987c0581bab2e7dbe6dfb Mon Sep 17 00:00:00 2001 From: Steve Underwood Date: Tue, 12 May 2015 12:00:04 +0800 Subject: [PATCH] A slightly mroe elegant an commented fix for the potential overflow issue in udptl.c --- src/mod/applications/mod_spandsp/udptl.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/mod/applications/mod_spandsp/udptl.c b/src/mod/applications/mod_spandsp/udptl.c index 874c30b686..6644a6ed74 100644 --- a/src/mod/applications/mod_spandsp/udptl.c +++ b/src/mod/applications/mod_spandsp/udptl.c @@ -222,10 +222,12 @@ int udptl_rx_packet(udptl_state_t *s, const uint8_t buf[], int len) do { if ((stat = decode_length(buf, len, &ptr, &count)) < 0) return -1; + if ((total_count + count) >= 16) { + /* There is too much stuff here to be real, and it would overflow the bufs array + if we continue */ + return -1; + } for (i = 0; i < count; i++) { - if (total_count + i >= 16) { - return -1; - } if (decode_open_type(buf, len, &ptr, &bufs[total_count + i], &lengths[total_count + i]) != 0) return -1; }