Details
-
Type:
Bug
-
Status: Closed
-
Severity:
Critical
-
Resolution: Fixed
-
Affects Version/s: 11.1.2
-
Component/s: Resources/res_format_attr_h264
-
Labels:None
-
Regression:No
Description
Hi,
I just saw this in res/res_format_attr_h264.c in Asterisk 11.1.2:
char sps[H264_MAX_SPS_PPS_SIZE], pps[H264_MAX_SPS_PPS_SIZE]; if (sscanf(attrib, "profile-level-id=%lx", &val2) == 1) { format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF); } else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) {I suspect there might be a potential buffer overflow here with a long "sprop-parameter-sets" string, but I don't really know the involved protocols well enough to check this.. What do you think?
// Ulf Härnhammar
Confirmed. When using sscanf, we need to length limit the strings to the length of the buffers on the stack - 1.
Issue Links
- must be completed before resolving
-
ASTERISK-21005
Open Blockers for 11.3.0
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Transitions