kenmirrors/asterisk
1
0
Fork 0
mirror of https://github.com/asterisk/asterisk.git synced 2025-11-03 20:38:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

res_config_sqlite3: Fix crashes when reading peers from sqlite3 tables

Browse Source 
Introduced realloaction of ast_str buf in sqlite3_escape functions in case
the returned buffer from threadstorage was actually too small.

Change-Id: I3c5eb43aaade93ee457943daddc651781954c445
This commit is contained in:
Christof Lauber
2016-02-16 15:14:15 +01:00
parent 6fc57b3e1f
commit b7970cabfa
1 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
res/res_config_sqlite3.c
View File

@@ -127,8 +127,14 @@ static inline const char *sqlite3_escape_string_helper(struct ast_threadstorage
* add two quotes, and convert NULL pointers to the word "NULL", but we
* don't allow those anyway. Just going to use %q for now. */
struct ast_str *buf = ast_str_thread_get(ts, maxlen);
char *tmp = ast_str_buffer(buf);
char q = ts == &escape_value_buf ? '\'' : '"';
char *tmp;
if (ast_str_size(buf) < maxlen) {
/* realloc if buf is too small */
ast_str_make_space(&buf, maxlen);
}
tmp = ast_str_buffer(buf);
ast_str_reset(buf);
*tmp++ = q; /* Initial quote */
@@ -160,9 +166,15 @@ static const char *sqlite3_escape_column_op(const char *param)
{
size_t maxlen = strlen(param) * 2 + sizeof("\"\" =");
struct ast_str *buf = ast_str_thread_get(&escape_column_buf, maxlen);
char *tmp = ast_str_buffer(buf);
char *tmp;
int space = 0;
if (ast_str_size(buf) < maxlen) {
/* realloc if buf is too small */
ast_str_make_space(&buf, maxlen);
}
tmp = ast_str_buffer(buf);
ast_str_reset(buf);
*tmp++ = '"';
while ((*tmp++ = *param++)) {