[Home]

Summary:ASTERISK-20901: Security Vulnerability: Possible stack corruption in when parsing H.264 format attributes
Reporter:Matt Jordan (mjordan)Labels:
Date Opened:2013-01-07 16:05:02.000-0600Date Closed:2013-03-27 10:53:57
Priority:CriticalRegression?No
Status:Closed/CompleteComponents:Resources/res_format_attr_h264
Versions:11.1.2 Frequency of
Occurrence
Related
Issues:
must be completed before resolvingASTERISK-21005 Open Blockers for 11.3.0
Environment:Attachments:( 0) AST-2013-001-11.diff
( 1) h264_overflow_security_patch.diff
Description:{quote}

Hi,

I just saw this in res/res_format_attr_h264.c in Asterisk 11.1.2:

{code}
char sps[H264_MAX_SPS_PPS_SIZE], pps[H264_MAX_SPS_PPS_SIZE];

if (sscanf(attrib, "profile-level-id=%lx", &val2) == 1) {
   format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF);
   format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF);
   format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF);
} else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) {
{code}

I suspect there might be a potential buffer overflow here with a long "sprop-parameter-sets" string, but I don't really know the involved protocols well enough to check this.. What do you think?

// Ulf Härnhammar

{quote}

Confirmed. When using sscanf, we need to length limit the strings to the length of the buffers on the stack - 1.
Comments: