diff options
author | Christof Lauber <christof.lauber@annax.ch> | 2016-02-16 15:14:15 +0100 |
---|---|---|
committer | Mark Michelson <mmichelson@digium.com> | 2016-02-23 16:01:52 -0600 |
commit | ea9deff996744b41ae383876b6c4e64936d85a9c (patch) | |
tree | 18906b28ef322ae22a34bc1f1e2e74ae0e4c3f88 /res/res_config_sqlite3.c | |
parent | aa637f0a911eb9184de1922b1d230855822ed839 (diff) |
res_config_sqlite3: Fix crashes when reading peers from sqlite3 tables
Introduced realloaction of ast_str buf in sqlite3_escape functions in case
the returned buffer from threadstorage was actually too small.
Change-Id: I3c5eb43aaade93ee457943daddc651781954c445
Diffstat (limited to 'res/res_config_sqlite3.c')
-rw-r--r-- | res/res_config_sqlite3.c | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/res/res_config_sqlite3.c b/res/res_config_sqlite3.c index 04b8e374c..4c4b82051 100644 --- a/res/res_config_sqlite3.c +++ b/res/res_config_sqlite3.c @@ -127,8 +127,14 @@ static inline const char *sqlite3_escape_string_helper(struct ast_threadstorage * add two quotes, and convert NULL pointers to the word "NULL", but we * don't allow those anyway. Just going to use %q for now. */ struct ast_str *buf = ast_str_thread_get(ts, maxlen); - char *tmp = ast_str_buffer(buf); char q = ts == &escape_value_buf ? '\'' : '"'; + char *tmp; + + if (ast_str_size(buf) < maxlen) { + /* realloc if buf is too small */ + ast_str_make_space(&buf, maxlen); + } + tmp = ast_str_buffer(buf); ast_str_reset(buf); *tmp++ = q; /* Initial quote */ @@ -160,9 +166,15 @@ static const char *sqlite3_escape_column_op(const char *param) { size_t maxlen = strlen(param) * 2 + sizeof("\"\" ="); struct ast_str *buf = ast_str_thread_get(&escape_column_buf, maxlen); - char *tmp = ast_str_buffer(buf); + char *tmp; int space = 0; + if (ast_str_size(buf) < maxlen) { + /* realloc if buf is too small */ + ast_str_make_space(&buf, maxlen); + } + tmp = ast_str_buffer(buf); + ast_str_reset(buf); *tmp++ = '"'; while ((*tmp++ = *param++)) { |