From 43bd3580e213554ef16ae89cbb91fc749a66db60 Mon Sep 17 00:00:00 2001
From: Scott Griepentrog <sgriepentrog@digium.com>
Date: Wed, 21 May 2014 19:08:39 +0000
Subject: [PATCH] pbx.c: prevent potential crash from recursive replace()

Recurisve usage of replace() resulted in corruption of the
temporary string storage and potential crash.  By changing
the string to be allocated separtely per instance, this is
eliminated.

ASTERISK-23650 #comment Reported by: Roel van Meer
ASTERISK-23650 #close

Review: https://reviewboard.asterisk.org/r/3539/
........

Merged revisions 414214 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 414215 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 414216 from http://svn.asterisk.org/svn/asterisk/branches/12


git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@414217 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---
 funcs/func_strings.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/funcs/func_strings.c b/funcs/func_strings.c
index ac889ec048..c3d768384a 100644
--- a/funcs/func_strings.c
+++ b/funcs/func_strings.c
@@ -798,7 +798,7 @@ static int replace(struct ast_channel *chan, const char *cmd, char *data, struct
 		AST_APP_ARG(replace);
 	);
 	char *strptr, *varsubst;
-	struct ast_str *str = ast_str_thread_get(&result_buf, 16);
+	RAII_VAR(struct ast_str *, str, ast_str_create(16), ast_free);
 	char find[256]; /* Only 256 characters possible */
 	char replace[2] = "";
 	size_t unused;
-- 
GitLab