From c5dc2fb4ab3533a4cf8f85940d862443f7abdb20 Mon Sep 17 00:00:00 2001 From: Kevin Harwell Date: Wed, 31 Jan 2018 13:33:16 -0600 Subject: [PATCH] AST-2018-002: Crash with an invalid SDP media format description pjproject's media format parsing algorithm failed to catch invalid values. Because of this Asterisk would crash if given an SDP with a invalid media format description. When parsing the media format description this patch now properly parses the value and returns an error status if it can't successfully parse/convert the value. ASTERISK-27582 #close Change-Id: I883b3a4ef85b6972397f7b56bf46c5779c55fdd6 --- .../patches/0070-sdp_media_fmt.patch | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 third-party/pjproject/patches/0070-sdp_media_fmt.patch diff --git a/third-party/pjproject/patches/0070-sdp_media_fmt.patch b/third-party/pjproject/patches/0070-sdp_media_fmt.patch new file mode 100644 index 0000000000..0a0977d558 --- /dev/null +++ b/third-party/pjproject/patches/0070-sdp_media_fmt.patch @@ -0,0 +1,19 @@ +diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c +index a3dd80b..0a13206 100644 +--- a/pjmedia/src/pjmedia/sdp.c ++++ b/pjmedia/src/pjmedia/sdp.c +@@ -1516,11 +1516,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_validate2(const pjmedia_sdp_session *sdp, + * RTC based programs sends "null" for instant messaging! + */ + if (pj_isdigit(*m->desc.fmt[j].ptr)) { +- unsigned pt = pj_strtoul(&m->desc.fmt[j]); ++ unsigned long pt; ++ pj_status_t status = pj_strtoul3(&m->desc.fmt[j], &pt, 10); + + /* Payload type is between 0 and 127. + */ +- CHECK( pt <= 127, PJMEDIA_SDP_EINPT); ++ CHECK( status == PJ_SUCCESS && pt <= 127, PJMEDIA_SDP_EINPT); + + /* If port is not zero, then for each dynamic payload type, an + * rtpmap attribute must be specified.