FS-10001: [core] Fix Buffer overflow collecting digits

25bbb42e · Mike Jerris · d5e558fa · 25bbb42e · 25bbb42e
--- a/src/mod/applications/mod_dptools/mod_dptools.c
+++ b/src/mod/applications/mod_dptools/mod_dptools.c
@@ -935,6 +935,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 					if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
 						switch_ivr_play_file(session, NULL, file, NULL);
 					}
+					buf[0] = '\0';
 					switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
 					continue;
 				}
@@ -954,6 +955,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 								if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
 									switch_ivr_play_file(session, NULL, file, NULL);
 								}
+								buf[0] = '\0';
 								switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
 							}
 						}
@@ -962,6 +964,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 					if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_idle"))) {
 						switch_ivr_play_file(session, NULL, file, NULL);
 					}
+					buf[0] = '\0';
 					switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 2000, 0, 0);
 				}
 			}

--- a/src/switch_ivr.c
+++ b/src/switch_ivr.c
@@ -1333,6 +1333,11 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_collect_digits_count(switch_core_sess
 	int sval = 0;
 	const char *var;

+
+	if (x >= buflen || x >= maxdigits) {
+		return SWITCH_STATUS_FALSE;
+	}
+
 	if ((var = switch_channel_get_variable(channel, SWITCH_SEND_SILENCE_WHEN_IDLE_VARIABLE)) && (sval = atoi(var))) {
 		switch_core_session_get_read_impl(session, &imp);