Fix a variety of potential buffer overflows

* chan_mobile: Fixed an overrun where the cind_state buffer (an integer array
  of size 16) would be overrun due to improper bounds checking. At worst, the
  buffer can be overrun by a total of 48 bytes (assuming 4-byte integers),
  which would still leave it within the allocated memory of struct hfp.  This
  would corrupt other elements in that struct but not necessarily cause any
  further issues.

* app_sms: The array imsg is of size 250, while the array (ud) that the data
  is copied into is of size 160.  If the size of the inbound message is 
  greater then 160, up to 90 bytes could be overrun in ud.  This would corrupt
  the user data header (array udh) adjacent to ud.

* chan_unistim: A number of invalid memmoves are corrected.  These would move
  data (which may or may not be valid) into the ends of these buffers.

* asterisk: ast_console_toggle_loglevel does not check that the console log
  level being set is less then or equal to the allowed log levels of 32.

* format_pref: In ast_codec_pref_prepend, if any occurrence of the specified
  codec is not found, the value used to index into the array pref->order
  would be one greater then the maximum size of the array.

* jitterbuf: If the element being placed into the jitter buffer lands in the
  last available slot in the jitter history buffer, the insertion sort attempts
  to move the last entry in the buffer into one slot past the maximum length
  of the buffer.  Note that this occurred for both the min and max jitter
  history buffers.

* tdd: If a read from fsk_serial returns a character that is greater then 32,
  an attempt to read past one of the statically defined arrays containing the
  values that character maps to would occur.

* localtime: struct ast_time and tm are not the same size - ast_time is larger,
  although it contains the elements of tm within it in the same layout.  Hence,
  when using memcpy to copy the contents of tm into ast_time, the size of tm
  should be used, as opposed to the size of ast_time.

* extconf: this treats ast_timing's minmask array as if it had a length of 48,
  when it has defined the size of the array as 24.  pbx.h defines minmask as
  having a size of 48.

(issue ASTERISK-19668)
Reported by: Matt Jordan
........

Merged revisions 362485 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 362496 from http://svn.asterisk.org/svn/asterisk/branches/10



git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@362497 65c4cc65-6c06-0410-ace0-fbb531ad65f3

5 files changed, 36 insertions, 16 deletions

diff --git a/main/asterisk.c b/main/asterisk.c
index aaa9d03fc..937259cda 100644
--- a/main/asterisk.c
+++ b/main/asterisk.c
@@ -1104,6 +1104,11 @@ int ast_safe_system(const char *s)
 void ast_console_toggle_loglevel(int fd, int level, int state)
 {
 	int x;
+
+	if (level >= NUMLOGLEVELS) {
+		level = NUMLOGLEVELS - 1;
+	}
+
 	for (x = 0;x < AST_MAX_CONNECTS; x++) {
 		if (fd == consoles[x].fd) {
 			/*
diff --git a/main/format_pref.c b/main/format_pref.c
index 48fac7731..11308e1e0 100644
--- a/main/format_pref.c
+++ b/main/format_pref.c
@@ -195,6 +195,11 @@ void ast_codec_pref_prepend(struct ast_codec_pref *pref, struct ast_format *form
 			break;
 	}
 
+	/* If we failed to find any occurrence, set to the end */
+	if (x == AST_CODEC_PREF_SIZE) {
+		--x;
+	}
+
 	if (only_if_existing && !pref->order[x]) {
 		ast_format_list_destroy(f_list);
 		return;
diff --git a/main/jitterbuf.c b/main/jitterbuf.c
index 1ff261f47..1e7191f09 100644
--- a/main/jitterbuf.c
+++ b/main/jitterbuf.c
@@ -242,7 +242,9 @@ static void history_calc_maxbuf(jitterbuf *jb)
 				/* found where it fits */
 				if (toins > jb->hist_maxbuf[j]) {
 					/* move over */
-					memmove(jb->hist_maxbuf + j + 1, jb->hist_maxbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_maxbuf[0]));
+					if (j != JB_HISTORY_MAXBUF_SZ - 1) {
+						memmove(jb->hist_maxbuf + j + 1, jb->hist_maxbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_maxbuf[0]));
+					}
 					/* insert */
 					jb->hist_maxbuf[j] = toins;
 
@@ -259,7 +261,9 @@ static void history_calc_maxbuf(jitterbuf *jb)
 				/* found where it fits */
 				if (toins < jb->hist_minbuf[j]) {
 					/* move over */
-					memmove(jb->hist_minbuf + j + 1, jb->hist_minbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_minbuf[0]));
+					if (j != JB_HISTORY_MAXBUF_SZ - 1) {
+						memmove(jb->hist_minbuf + j + 1, jb->hist_minbuf + j, (JB_HISTORY_MAXBUF_SZ - (j + 1)) * sizeof(jb->hist_minbuf[0]));
+					}
 					/* insert */
 					jb->hist_minbuf[j] = toins;
 
diff --git a/main/stdtime/localtime.c b/main/stdtime/localtime.c
index 3460307a2..7dd3a6928 100644
--- a/main/stdtime/localtime.c
+++ b/main/stdtime/localtime.c
@@ -2365,7 +2365,11 @@ char *ast_strptime_locale(const char *s, const char *format, struct ast_tm *tm,
 	prevlocale = ast_setlocale(locale);
 	res = strptime(s, format, &tm2);
 	ast_setlocale(prevlocale);
-	memcpy(tm, &tm2, sizeof(*tm));
+	/* ast_time and tm are not the same size - tm is a subset of
+	 * ast_time.  Hence, the size of tm needs to be used for the
+	 * memcpy
+	 */
+	memcpy(tm, &tm2, sizeof(tm2));
 	tm->tm_usec = 0;
 	/* strptime(3) doesn't set .tm_isdst correctly, so to force ast_mktime(3)
 	 * to deal with it correctly, we set it to -1. */
diff --git a/main/tdd.c b/main/tdd.c
index 1bdc020a3..6ceb31d66 100644
--- a/main/tdd.c
+++ b/main/tdd.c
@@ -69,19 +69,21 @@ static int tdd_decode_baudot(struct tdd_state *tdd,unsigned char data)	/* covert
 	                         '5','\"',')','2','=','6','0','1',
 	                         '9','?','+','^','.','/',';','^' };
 	int d = 0;  /* return 0 if not decodeable */
-	switch (data) {
-	case 0x1f:
-		tdd->modo = 0;
-		break;
-	case 0x1b:
-		tdd->modo = 1;
-		break;
-	default:
-		if (tdd->modo == 0)
-			d = ltrs[data];
-		else
-			d = figs[data];
-		break;
+	if (data < 32) {
+		switch (data) {
+		case 0x1f:
+			tdd->modo = 0;
+			break;
+		case 0x1b:
+			tdd->modo = 1;
+			break;
+		default:
+			if (tdd->modo == 0)
+				d = ltrs[data];
+			else
+				d = figs[data];
+			break;
+		}
 	}
 	return d;
 }