From 078b0b0eff3dcd24c93c22ff59b151b767c7d06b Mon Sep 17 00:00:00 2001
From: Russell Bryant <russell@russellbryant.com>
Date: Tue, 1 Sep 2009 20:44:13 +0000
Subject: [PATCH] Fix memory corruption caused by format_mp3.

format_mp3 claimed that it provided AST_FRIENDLY_OFFSET in frames returned by
read().  However, it lied.  This means that other parts of the code that
attempted to make use of the offset buffer would end up corrupting the fields
in the ast_filestream structure.  This resulted in quite a few crashes due to
unexpected values for fields in ast_filestream.

This patch closes out quite a few bugs.  However, some of these bugs have been
open for a while and have been an area where more than one bug has been
discussed.  So with that said, anyone that is following one of the issues
closed here, if you still have a problem, please open a new bug report for the
specific problem you are still having.  If you do, please ensure that the bug
report is based on the newest version of Asterisk, and that this patch is
applied if format_mp3 is in use.  Thanks!

(closes issue #15109)
Reported by: jvandal
Tested by: aragon, russell, zerohalo, marhbere, rgj

(closes issue #14958)
Reported by: aragon

(closes issue #15123)
Reported by: axisinternet

(closes issue #15041)
Reported by: maxnuv

(closes issue #15396)
Reported by: aragon

(closes issue #15195)
Reported by: amorsen
Tested by: amorsen

(closes issue #15781)
Reported by: jensvb

(closes issue #15735)
Reported by: thom4fun

(closes issue #15460)
Reported by: marhbere


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@215212 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 addons/format_mp3.c | 13 +------------
 1 file changed, 1 insertion(+), 12 deletions(-)

diff --git a/addons/format_mp3.c b/addons/format_mp3.c
index 2c27243e2f..ae6c1a68bb 100644
--- a/addons/format_mp3.c
+++ b/addons/format_mp3.c
@@ -98,16 +98,7 @@ static const char name[] = "mp3";
 static int mp3_open(struct ast_filestream *s)
 {
 	struct mp3_private *p = s->_private;
-	
 	InitMP3(&p->mp, OUTSCALE);
-	p->dbuflen = 0;
-	s->fr.data.ptr = s->buf;
-	s->fr.frametype = AST_FRAME_VOICE;
-	s->fr.subclass = AST_FORMAT_SLINEAR;
-	/* datalen will vary for each frame */
-	s->fr.src = name;
-	s->fr.mallocd = 0;
-	p->offset = 0;
 	return 0;
 }
 
@@ -234,9 +225,7 @@ static struct ast_frame *mp3_read(struct ast_filestream *s, int *whennext)
 	delay = p->buflen/2;
 	s->fr.frametype = AST_FRAME_VOICE;
 	s->fr.subclass = AST_FORMAT_SLINEAR;
-	s->fr.offset = AST_FRIENDLY_OFFSET;
-	s->fr.datalen = p->buflen;
-	s->fr.data.ptr = s->buf;
+	AST_FRAME_SET_BUFFER(&s->fr, s->buf, AST_FRIENDLY_OFFSET, p->buflen);
 	s->fr.mallocd = 0;
 	s->fr.samples = delay;
 	*whennext = delay;
-- 
GitLab