diff options
author | Christof Lauber <christof.lauber@annax.ch> | 2016-02-16 15:14:15 +0100 |
---|---|---|
committer | Christof Lauber <christof.lauber@annax.ch> | 2016-02-22 10:11:43 +0100 |
commit | b7970cabfab31408b55c4797fa260525465811e6 (patch) | |
tree | 1bc50fc7cdba42e49083dac7b13755d2f2f5155f /res/res_config_sqlite3.c | |
parent | 6fc57b3e1f401fd18e3e4d4462f973094dd0908c (diff) |
res_config_sqlite3: Fix crashes when reading peers from sqlite3 tables
Introduced realloaction of ast_str buf in sqlite3_escape functions in case
the returned buffer from threadstorage was actually too small.
Change-Id: I3c5eb43aaade93ee457943daddc651781954c445
Diffstat (limited to 'res/res_config_sqlite3.c')
-rw-r--r-- | res/res_config_sqlite3.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/res/res_config_sqlite3.c b/res/res_config_sqlite3.c index 0b0a78cf4..a30612368 100644 --- a/res/res_config_sqlite3.c +++ b/res/res_config_sqlite3.c @@ -127,8 +127,14 @@ static inline const char *sqlite3_escape_string_helper(struct ast_threadstorage * add two quotes, and convert NULL pointers to the word "NULL", but we * don't allow those anyway. Just going to use %q for now. */ struct ast_str *buf = ast_str_thread_get(ts, maxlen); - char *tmp = ast_str_buffer(buf); char q = ts == &escape_value_buf ? '\'' : '"'; + char *tmp; + + if (ast_str_size(buf) < maxlen) { + /* realloc if buf is too small */ + ast_str_make_space(&buf, maxlen); + } + tmp = ast_str_buffer(buf); ast_str_reset(buf); *tmp++ = q; /* Initial quote */ @@ -160,9 +166,15 @@ static const char *sqlite3_escape_column_op(const char *param) { size_t maxlen = strlen(param) * 2 + sizeof("\"\" ="); struct ast_str *buf = ast_str_thread_get(&escape_column_buf, maxlen); - char *tmp = ast_str_buffer(buf); + char *tmp; int space = 0; + if (ast_str_size(buf) < maxlen) { + /* realloc if buf is too small */ + ast_str_make_space(&buf, maxlen); + } + tmp = ast_str_buffer(buf); + ast_str_reset(buf); *tmp++ = '"'; while ((*tmp++ = *param++)) { |