TT#66752 fix incorrect PCRE API usage

1) pcre_exec takes the number of elements in the ovec array, not its size in bytes 2) fix off-by-one error in matching and replacing substrings This bug was triggered by a match string of "^00|\\+([1-9][0-9]+)$" and a replacement string of "$1" against a subject string "0000". pcre_exec would return 1, with the single substring capture in ovec being unset. The code would try to extract the $1 match but would run into uninitialised values. Change-Id: I3898fa8b807994b0b65fefb3f61cc9756180c490
6 years ago · a568cefd1d
parent 28cae61370
commit a568cefd1d
2 changed files with 30 additions and 0 deletions
--- a/debian/patches/series
+++ b/debian/patches/series
@ -23,3 +23,4 @@ sipwise_vm_store_message_add_diag_info.patch
 sipwise_vm_fix_envelope_play.patch
 sipwise_vm_asterisk_16_support.patch
 sipwise_vm_pointers_malloc.patch
+sipwise_fix_app_voicemail_bugs.patch
--- a/debian/patches/sipwise_fix_app_voicemail_bugs.patch
+++ b/debian/patches/sipwise_fix_app_voicemail_bugs.patch
@ -0,0 +1,29 @@
+--- a/apps/app_voicemail.c
+++ b/apps/app_voicemail.c
+@@ -1318,7 +1318,7 @@
+ 	while(*cp) {
+ 		if (*cp == '$' && isdigit(cp[1])) {
+ 			val = strtoul(&cp[1], &cp, 10);
+-			if (val && val <= nmat + 1)
+			if (val && val <= nmat)
+ 				len += replen[val -1];
+ 			else
+ 				fprintf(stderr, "repl %d out of range\n", val);
+@@ -1338,7 +1338,7 @@
+ 	while(*cp) {
+ 		if (*cp == '$' && isdigit(cp[1])) {
+ 			val = strtoul(&cp[1], &cp, 10);
+-			if (val && val <= nmat + 1) {
+			if (val && val <= nmat) {
+ 				strncpy(out, repstr[val - 1], replen[val - 1]);
+ 				out += replen[val -1];
+ 			}
+@@ -1385,7 +1385,7 @@
+ 	int nmat;
+ 	int ovec[MAXCAPTURE * 3];
+ 	nmat = pcre_exec(ppat, extra, str, len, offset, options,
+-		ovec, sizeof(ovec));
+		ovec, sizeof(ovec) / sizeof(*ovec));
+ 	if (nmat <= 0)
+ 		return NULL;
+ 	return(edit(str, len, rep, nmat, ovec));