File: 0003-cve-fix-heap-overflow-by-two.patch

package info (click to toggle)
sofia-sip 1.12.11%2B20110422.1%2B1e14eea~dfsg-6
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 11,052 kB
  • sloc: ansic: 145,580; makefile: 1,162; cpp: 915; sh: 782; awk: 640; sed: 198
file content (38 lines) | stat: -rw-r--r-- 1,121 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
From: Andrey Volk <andywolk@gmail.com>
Date: Mon, 18 Apr 2022 17:27:28 +0300
Subject: Fix Heap-buffer-overflow in parse_descs and parse_message

Bug: https://security-tracker.debian.org/tracker/CVE-2022-31003
Bug-Debian: https://bugs.debian.org/1016974

Last-Update: 2022-08-13
---
 libsofia-sip-ua/sdp/sdp_parse.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/libsofia-sip-ua/sdp/sdp_parse.c b/libsofia-sip-ua/sdp/sdp_parse.c
index 37055fc..fb0c3a9 100644
--- a/libsofia-sip-ua/sdp/sdp_parse.c
+++ b/libsofia-sip-ua/sdp/sdp_parse.c
@@ -392,6 +392,10 @@ static void parse_message(sdp_parser_t *p)
        record = next(&message, CRLF, strip)) {
     field = record[0];
 
+    if (strlen(record) < 2) {
+      return;
+    }
+
     rest = record + 2; rest += strspn(rest, strip);
 
     if (record[1] != '=') {
@@ -1733,6 +1737,10 @@ static void parse_descs(sdp_parser_t *p,
        record = next(&message, CRLF, strip)) {
     char field = record[0];
 
+    if (strlen(record) < 2) {
+      return;
+    }
+
     rest = record + 2; rest += strspn(rest, strip);
 
     if (record[1] == '=') switch (field) {