From 3d03fca94acb556c1ea803feef0030c915b09dad Mon Sep 17 00:00:00 2001 From: neutrino88 Date: Tue, 25 Sep 2018 17:19:36 -0400 Subject: [PATCH] core/frame: Fix ast_frdup() and ast_frisolate() for empty text frames If a channel creates an AST_TEXT_FRAME with datalen == 0, the ast_frdup() and ast_frisolate() functions could create a clone frame with an invalid data.ptr which would cause a crash. The proposed fix is to make sure that for such empty text frames, ast_frdup() and ast_frisolate() return cloned text frames with a valid data.ptr. ASTERISK-28076 Reported by: Emmanuel BUU Tested by: Emmanuel BUU Change-Id: Ib882dd028598f13c4c233edbfdd7e54ad44a68e9 --- main/frame.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/main/frame.c b/main/frame.c index 19f3654412..6dc28a70da 100644 --- a/main/frame.c +++ b/main/frame.c @@ -260,7 +260,7 @@ struct ast_frame *ast_frisolate(struct ast_frame *fr) if (!(fr->mallocd & AST_MALLOCD_DATA)) { /* The original frame has a non-malloced data buffer. */ - if (!fr->datalen) { + if (!fr->datalen && fr->frametype != AST_FRAME_TEXT) { /* Actually it's just an int so we can simply copy it. */ out->data.uint32 = fr->data.uint32; return out; @@ -357,7 +357,8 @@ struct ast_frame *ast_frdup(const struct ast_frame *f) */ out->mallocd = AST_MALLOCD_HDR; out->offset = AST_FRIENDLY_OFFSET; - if (out->datalen) { + /* Make sure that empty text frames have a valid data.ptr */ + if (out->datalen || f->frametype == AST_FRAME_TEXT) { out->data.ptr = buf + sizeof(*out) + AST_FRIENDLY_OFFSET; memcpy(out->data.ptr, f->data.ptr, out->datalen); } else {