core/frame: Fix ast_frdup() and ast_frisolate() for empty text frames

If a channel creates an AST_TEXT_FRAME with datalen == 0, the ast_frdup() and ast_frisolate() functions could create a clone frame with an invalid data.ptr which would cause a crash. The proposed fix is to make sure that for such empty text frames, ast_frdup() and ast_frisolate() return cloned text frames with a valid data.ptr. ASTERISK-28076 Reported by: Emmanuel BUU Tested by: Emmanuel BUU Change-Id: Ib882dd028598f13c4c233edbfdd7e54ad44a68e9

core/frame: Fix ast_frdup() and ast_frisolate() for empty text frames
633ac0e9 · neutrino88 · Richard Mudgett · 308c3f9c · 633ac0e9
Commit 633ac0e9 authored 6 years ago by neutrino88 Committed by Richard Mudgett 6 years ago
--- a/main/frame.c
+++ b/main/frame.c
@@ -259,7 +259,7 @@ struct ast_frame *ast_frisolate(struct ast_frame *fr)
 	if (!(fr->mallocd & AST_MALLOCD_DATA))  {
 		/* The original frame has a non-malloced data buffer. */
-		if (!fr->datalen) {
+		if (!fr->datalen && fr->frametype != AST_FRAME_TEXT) {
 			/* Actually it's just an int so we can simply copy it. */
 			out->data.uint32 = fr->data.uint32;
 			return out;
@@ -356,7 +356,8 @@ struct ast_frame *ast_frdup(const struct ast_frame *f)
 	 */
 	out->mallocd = AST_MALLOCD_HDR;
 	out->offset = AST_FRIENDLY_OFFSET;
-	if (out->datalen) {
+	/* Make sure that empty text frames have a valid data.ptr */
+	if (out->datalen || f->frametype == AST_FRAME_TEXT) {
 		out->data.ptr = buf + sizeof(*out) + AST_FRIENDLY_OFFSET;
 		memcpy(out->data.ptr, f->data.ptr, out->datalen);
 	} else {