From d3a398cf9058219445fb1c54bfa88bb0f54a2fc4 Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell@digium.com>
Date: Wed, 31 Jan 2018 13:33:16 -0600
Subject: [PATCH] AST-2018-002: Crash with an invalid SDP media format
 description

pjproject's media format parsing algorithm failed to catch invalid values.
Because of this Asterisk would crash if given an SDP with a invalid media
format description.

When parsing the media format description this patch now properly parses the
value and returns an error status if it can't successfully parse/convert the
value.

ASTERISK-27582 #close

Change-Id: I883b3a4ef85b6972397f7b56bf46c5779c55fdd6
---
 .../patches/0070-sdp_media_fmt.patch          | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 third-party/pjproject/patches/0070-sdp_media_fmt.patch

diff --git a/third-party/pjproject/patches/0070-sdp_media_fmt.patch b/third-party/pjproject/patches/0070-sdp_media_fmt.patch
new file mode 100644
index 0000000000..0a0977d558
--- /dev/null
+++ b/third-party/pjproject/patches/0070-sdp_media_fmt.patch
@@ -0,0 +1,19 @@
+diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
+index a3dd80b..0a13206 100644
+--- a/pjmedia/src/pjmedia/sdp.c
++++ b/pjmedia/src/pjmedia/sdp.c
+@@ -1516,11 +1516,12 @@ PJ_DEF(pj_status_t) pjmedia_sdp_validate2(const pjmedia_sdp_session *sdp,
+ 	     * RTC based programs sends "null" for instant messaging!
+ 	     */
+ 	    if (pj_isdigit(*m->desc.fmt[j].ptr)) {
+-		unsigned pt = pj_strtoul(&m->desc.fmt[j]);
++		unsigned long pt;
++		pj_status_t status = pj_strtoul3(&m->desc.fmt[j], &pt, 10);
+ 
+ 		/* Payload type is between 0 and 127. 
+ 		 */
+-		CHECK( pt <= 127, PJMEDIA_SDP_EINPT);
++		CHECK( status == PJ_SUCCESS && pt <= 127, PJMEDIA_SDP_EINPT);
+ 
+ 		/* If port is not zero, then for each dynamic payload type, an
+ 		 * rtpmap attribute must be specified.
-- 
GitLab