From 148e8799fefb48fd324ce9b8813d1919ba72a8fd Mon Sep 17 00:00:00 2001
From: Richard Mudgett <rmudgett@digium.com>
Date: Fri, 20 Mar 2015 18:27:22 +0000
Subject: [PATCH] res_pjsip_sdp_rtp,sorcery: Fix invalid access and memory leak
 respectively.

Valgrind found a memory leak and invalid access.

* Fix invalid access by sscanf() being fed a non-nul terminated string of
digits in res/res_pjsip_sdp_rtp.c:get_codecs().

* Fix memory leak in main/sorcery.c:sorcery_object_field_destructor().

* Fix potential NULL pointer dereference in
main/xmldoc.c:xmldoc_get_syntax_config_option().

Review: https://reviewboard.asterisk.org/r/4513/
........

Merged revisions 433199 from http://svn.asterisk.org/svn/asterisk/branches/13


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@433200 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 main/sorcery.c          | 1 +
 main/xmldoc.c           | 2 +-
 res/res_pjsip_sdp_rtp.c | 6 +++++-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/main/sorcery.c b/main/sorcery.c
index cec3f1b39a..879723be4b 100644
--- a/main/sorcery.c
+++ b/main/sorcery.c
@@ -1078,6 +1078,7 @@ static void sorcery_object_field_destructor(void *obj)
 
 	if (object_field->name_regex) {
 		regfree(object_field->name_regex);
+		ast_free(object_field->name_regex);
 	}
 }
 
diff --git a/main/xmldoc.c b/main/xmldoc.c
index 395df8ea0c..e334e878ef 100644
--- a/main/xmldoc.c
+++ b/main/xmldoc.c
@@ -1239,7 +1239,7 @@ static char *xmldoc_get_syntax_config_option(struct ast_xml_node *fixnode, const
 	regex = ast_xml_get_attribute(fixnode, "regex");
 	ast_str_set(&syntax, 0, "%s = [%s] (Default: %s) (Regex: %s)\n",
 		name,
-		type,
+		type ?: "",
 		default_value ?: "n/a",
 		regex ?: "False");
 
diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index 6856b73f78..f396bfea08 100644
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -180,7 +180,11 @@ static void get_codecs(struct ast_sip_session *session, const struct pjmedia_sdp
 		}
 
 		if ((pjmedia_sdp_attr_get_fmtp(attr, &fmtp)) == PJ_SUCCESS) {
-			sscanf(pj_strbuf(&fmtp.fmt), "%d", &num);
+			ast_copy_pj_str(fmt_param, &fmtp.fmt, sizeof(fmt_param));
+			if (sscanf(fmt_param, "%30d", &num) != 1) {
+				continue;
+			}
+
 			if ((format = ast_rtp_codecs_get_payload_format(codecs, num))) {
 				struct ast_format *format_parsed;
 
-- 
GitLab