From 214973a574a860623ac0d4f4356e7c1a6a699ef0 Mon Sep 17 00:00:00 2001
From: Joshua Colp <jcolp@digium.com>
Date: Tue, 1 Apr 2008 16:45:14 +0000
Subject: [PATCH] Ensure that we do not exceed the hold's maximum size with a
 single frame. (closes issue #12047) Reported by: fabianoheringer Tested by:
 fabianoheringer

git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@112125 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 include/asterisk/slinfactory.h | 4 +++-
 main/slinfactory.c             | 3 +++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/include/asterisk/slinfactory.h b/include/asterisk/slinfactory.h
index b81817d6bd..a65558bbb6 100644
--- a/include/asterisk/slinfactory.h
+++ b/include/asterisk/slinfactory.h
@@ -31,10 +31,12 @@
 extern "C" {
 #endif
 
+#define AST_SLINFACTORY_MAX_HOLD 1280
+
 struct ast_slinfactory {
 	AST_LIST_HEAD_NOLOCK(, ast_frame) queue;
 	struct ast_trans_pvt *trans;
-	short hold[1280];
+	short hold[AST_SLINFACTORY_MAX_HOLD];
 	short *offset;
 	size_t holdlen;			/*!< in samples */
 	unsigned int size;		/*!< in samples */
diff --git a/main/slinfactory.c b/main/slinfactory.c
index df1af3738b..0022c62def 100644
--- a/main/slinfactory.c
+++ b/main/slinfactory.c
@@ -137,6 +137,9 @@ int ast_slinfactory_read(struct ast_slinfactory *sf, short *buf, size_t samples)
 				memcpy(offset, frame_data, ineed * sizeof(*offset));
 				sofar += ineed;
 				frame_data += ineed;
+				if (remain > (AST_SLINFACTORY_MAX_HOLD - sf->holdlen)) {
+					remain = AST_SLINFACTORY_MAX_HOLD - sf->holdlen;
+				}
 				memcpy(sf->hold, frame_data, remain * sizeof(*offset));
 				sf->holdlen = remain;
 			}