Skip to content
Snippets Groups Projects
Commit 916a397f authored by Matthew Jordan's avatar Matthew Jordan
Browse files

AST-2013-001: Prevent buffer overflow through H.264 format negotiation

The format attribute resource for H.264 video performs an unsafe read against a
media attribute when parsing the SDP. The value passed in with the format
attribute is not checked for its length when parsed into a fixed length buffer.
This patch resolves the vulnerability by only reading as many characters from
the SDP value as will fit into the buffer.

(closes issue ASTERISK-20901)
Reported by: Ulf Harnhammar
patches:
  h264_overflow_security_patch.diff uploaded by jrose (License 6182)



git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/11@383973 65c4cc65-6c06-0410-ace0-fbb531ad65f3
parent 1eff40f2
No related branches found
No related tags found
No related merge requests found
...@@ -41,8 +41,14 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$") ...@@ -41,8 +41,14 @@ ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
/*! \brief Value that indicates an attribute is actually unset */ /*! \brief Value that indicates an attribute is actually unset */
#define H264_ATTR_KEY_UNSET UINT8_MAX #define H264_ATTR_KEY_UNSET UINT8_MAX
/*! \brief Maximum size for SPS / PPS values in sprop-parameter-sets attribute */ /*! \brief Maximum size for SPS / PPS values in sprop-parameter-sets attribute
* if you change this value then you must change H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT
* as well. */
#define H264_MAX_SPS_PPS_SIZE 16 #define H264_MAX_SPS_PPS_SIZE 16
/*! \brief This is used when executing sscanf on buffers of H264_MAX_SPS_PPS_SIZE
* length. It must ALWAYS be a string literal representation of one less than
* H264_MAX_SPS_PPS_SIZE */
#define H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "15"
enum h264_attr_keys { enum h264_attr_keys {
H264_ATTR_KEY_PROFILE_IDC, H264_ATTR_KEY_PROFILE_IDC,
...@@ -111,7 +117,8 @@ static int h264_format_attr_sdp_parse(struct ast_format_attr *format_attr, const ...@@ -111,7 +117,8 @@ static int h264_format_attr_sdp_parse(struct ast_format_attr *format_attr, const
format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_PROFILE_IDC] = ((val2 >> 16) & 0xFF);
format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF); format_attr->format_attr[H264_ATTR_KEY_PROFILE_IOP] = ((val2 >> 8) & 0xFF);
format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF); format_attr->format_attr[H264_ATTR_KEY_LEVEL] = (val2 & 0xFF);
} else if (sscanf(attrib, "sprop-parameter-sets=%[^','],%s", sps, pps) == 2) { } else if (sscanf(attrib, "sprop-parameter-sets=%" H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "[^','],%" H264_MAX_SPS_PPS_SIZE_SCAN_LIMIT "s", sps, pps) == 2) {
/* XXX sprop-parameter-sets can actually be of unlimited length. This may need to be addressed later. */
unsigned char spsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, }, ppsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, }; unsigned char spsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, }, ppsdecoded[H264_MAX_SPS_PPS_SIZE] = { 0, };
int i; int i;
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment