Buffer overflow in switch_channel_expand_variables_check and…

Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_headers_check fixed (FS-8757)

Buffer overflow in switch_channel_expand_variables_check and…
Buffer overflow in switch_channel_expand_variables_check and switch_event_expand_headers_check fixed (FS-8757)
28da36e3 · Thomas Weber · 52583384 · 28da36e3 · 28da36e3
--- a/src/switch_channel.c
+++ b/src/switch_channel.c
@@ -3825,6 +3825,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 					p++;
 					continue;
 				} else if (*(p + 1) == '\\') {
+					if (len + 1 >= olen) {
+						resize(1);
+					}
+
 					*c++ = *p++;
 					len++;
 					continue;
@@ -3850,6 +3854,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 			}

 			if (nv) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 				nv = 0;
@@ -4045,11 +4053,12 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 				vname = NULL;
 				br = 0;
 			}
-			if (len + 1 >= olen) {
-				resize(1);
-			}

 			if (sp) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = ' ';
 				sp = 0;
 				len++;
@@ -4058,6 +4067,10 @@ SWITCH_DECLARE(char *) switch_channel_expand_variables_check(switch_channel_t *c
 			if (*p == '$') {
 				p--;
 			} else {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 			}

--- a/src/switch_event.c
+++ b/src/switch_event.c
@@ -2240,6 +2240,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 					p++;
 					continue;
 				} else if (*(p + 1) == '\\') {
+					if (len + 1 >= olen) {
+						resize(1);
+					}
+
 					*c++ = *p++;
 					len++;
 					continue;
@@ -2264,6 +2268,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 			}

 			if (nv) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 				nv = 0;
@@ -2464,11 +2472,12 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 				vtype = 0;
 				br = 0;
 			}
-			if (len + 1 >= olen) {
-				resize(1);
-			}

 			if (sp) {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = ' ';
 				sp = 0;
 				len++;
@@ -2477,6 +2486,10 @@ SWITCH_DECLARE(char *) switch_event_expand_headers_check(switch_event_t *event,
 			if (*p == '$') {
 				p--;
 			} else {
+				if (len + 1 >= olen) {
+					resize(1);
+				}
+
 				*c++ = *p;
 				len++;
 			}