diff options
| author | Matthew Jordan <mjordan@digium.com> | 2013-03-27 14:28:36 +0000 |
|---|---|---|
| committer | Matthew Jordan <mjordan@digium.com> | 2013-03-27 14:28:36 +0000 |
| commit | 4b5a0e1932104adb25132d31bf84f1caf621d8bc (patch) | |
| tree | 48883b894f43da3f722a808b475698f0b8c7caa9 /res/res_format_attr_h264.c | |
| parent | 63a4da4eba118b62086b085a52dda856921bb070 (diff) | |
AST-2013-001: Prevent buffer overflow through H.264 format negotiation
The format attribute resource for H.264 video performs an unsafe read against a
media attribute when parsing the SDP. The value passed in with the format
attribute is not checked for its length when parsed into a fixed length buffer.
This patch resolves the vulnerability by only reading as many characters from
the SDP value as will fit into the buffer.
(closes issue ASTERISK-20901)
Reported by: Ulf Harnhammar
patches:
h264_overflow_security_patch.diff uploaded by jrose (License 6182)
........
Merged revisions 383973 from http://svn.asterisk.org/svn/asterisk/branches/11
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@383975 65c4cc65-6c06-0410-ace0-fbb531ad65f3
Diffstat (limited to 'res/res_format_attr_h264.c')
| -rw-r--r-- | res/res_format_attr_h264.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/res/res_format_attr_h264.c b/res/res_format_attr_h264.c index 9642c51f1..eae1aa36e 100644 --- a/res/res_format_attr_h264.c +++ b/res/res_format_attr_h264.c @@ -41,8 +41,14 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") /*! \brief Value that indicates an attribute is actually unset */ #define H264_ATTR_KEY_UNSET UINT8_MAX -/*! \brief Maximum size for SPS / PPS values in sprop-parameter-sets attribute */ +/*! \brief Maximum size for SPS / PPS values in sprop-parameter-sets attribute + * if you change this value then you must change H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT + * as well. */ #define H264_MAX_SPS_PPS_SIZE 16 +/*! \brief This is used when executing sscanf on buffers of H264_MAX_SPS_PPS_SIZE + * length. It must ALWAYS be a string literal representation of one less than + * H264_MAX_SPS_PPS_SIZE */ +#define H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "15" enum h264_attr_keys { H264_ATTR_KEY_PROFILE_IDC, @@ -111,7 +117,8 @@ static int h264_format_attr_sdp_parse(struct ast_format_attr *format_attr, const format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF); - } else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) { + } else if (sscanf(attrib, "sprop-parameter-sets=%" H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "[^','],%" H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "s", sps, pps) == 2) { + /* XXX sprop-parameter-sets can actually be of unlimited length. This may need to be addressed later. */ unsigned char spsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, }, ppsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, }; int i; |