Asterisk
  1. Asterisk
  2. ASTERISK-20901

Security Vulnerability: Possible stack corruption in when parsing H.264 format attributes

    Details

    • Regression:
      No

      Description

      Hi,

      I just saw this in res/res_format_attr_h264.c in Asterisk 11.1.2:

      char sps[H264_MAX_SPS_PPS_SIZE], pps[H264_MAX_SPS_PPS_SIZE];
      
      if (sscanf(attrib, "profile-level-id=%lx", &val2) == 1) {
          format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF);
          format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF);
          format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF);
      } else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) {
      

      I suspect there might be a potential buffer overflow here with a long "sprop-parameter-sets" string, but I don't really know the involved protocols well enough to check this.. What do you think?

      // Ulf Härnhammar

      Confirmed. When using sscanf, we need to length limit the strings to the length of the buffers on the stack - 1.

      1. AST-2013-001-11.diff
        2 kB
        Matt Jordan
      2. h264_overflow_security_patch.diff
        2 kB
        Jonathan Rose

        Issue Links

          Activity

          There are no comments yet on this issue.

            People

            • Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development