From f145b5854266dd58d37a6b0be9c72dcca766bed3 Mon Sep 17 00:00:00 2001
From: Kevin Harwell <kharwell@digium.com>
Date: Thu, 1 Aug 2019 16:22:01 -0500
Subject: [PATCH] various modules: json integer overflow

There were still a few places in the code that could overflow when "packing"
a json object with a value outside the base type integer's range. For instance:

unsigned int value = INT_MAX + 1
ast_json_pack("{s: i}", value);

would result in a negative number being "packed". In those situations this patch
alters those values to a ast_json_int_t, which widens the value up to a long or
long long.

ASTERISK-28480

Change-Id: Ied530780d83e6f1772adba0e28d8938ef30c49a1
---
 apps/app_agent_pool.c   |  4 ++--
 apps/app_queue.c        | 12 ++++++------
 channels/chan_iax2.c    |  8 ++++----
 funcs/func_talkdetect.c |  2 +-
 main/aoc.c              |  8 ++++----
 main/ccss.c             |  4 ++--
 main/channel.c          |  4 ++--
 main/core_local.c       |  6 +++---
 main/rtp_engine.c       | 24 ++++++++++++------------
 main/stasis_channels.c  |  4 ++--
 10 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/apps/app_agent_pool.c b/apps/app_agent_pool.c
index 07040f6c59..b2068c1309 100644
--- a/apps/app_agent_pool.c
+++ b/apps/app_agent_pool.c
@@ -1459,9 +1459,9 @@ static void send_agent_logoff(struct ast_channel *chan, const char *agent, long
 
 	ast_assert(agent != NULL);
 
-	blob = ast_json_pack("{s: s, s: i}",
+	blob = ast_json_pack("{s: s, s: I}",
 		"agent", agent,
-		"logintime", logintime);
+		"logintime", (ast_json_int_t)logintime);
 	if (!blob) {
 		return;
 	}
diff --git a/apps/app_queue.c b/apps/app_queue.c
index c5508e30ec..53ae2ba1c5 100644
--- a/apps/app_queue.c
+++ b/apps/app_queue.c
@@ -5679,12 +5679,12 @@ static void send_agent_complete(const char *queuename, struct ast_channel_snapsh
 		break;
 	}
 
-	blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i, s: s}",
+	blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I, s: s}",
 		"Queue", queuename,
 		"Interface", member->interface,
 		"MemberName", member->membername,
-		"HoldTime", (long)(callstart - holdstart),
-		"TalkTime", (long)(time(NULL) - callstart),
+		"HoldTime", (ast_json_int_t)(callstart - holdstart),
+		"TalkTime", (ast_json_int_t)(time(NULL) - callstart),
 		"Reason", reason ?: "");
 
 	queue_publish_multi_channel_snapshot_blob(ast_queue_topic(queuename), caller, peer,
@@ -6955,12 +6955,12 @@ static int try_calling(struct queue_ent *qe, struct ast_flags opts, char **opt_a
 		ast_queue_log(queuename, ast_channel_uniqueid(qe->chan), member->membername, "CONNECT", "%ld|%s|%ld", (long) (time(NULL) - qe->start), ast_channel_uniqueid(peer),
 													(long)(orig - to > 0 ? (orig - to) / 1000 : 0));
 
-		blob = ast_json_pack("{s: s, s: s, s: s, s: i, s: i}",
+		blob = ast_json_pack("{s: s, s: s, s: s, s: I, s: I}",
 				     "Queue", queuename,
 				     "Interface", member->interface,
 				     "MemberName", member->membername,
-				     "HoldTime", (long) (time(NULL) - qe->start),
-				     "RingTime", (long)(orig - to > 0 ? (orig - to) / 1000 : 0));
+				     "HoldTime", (ast_json_int_t)(time(NULL) - qe->start),
+				     "RingTime", (ast_json_int_t)(orig - to > 0 ? (orig - to) / 1000 : 0));
 		queue_publish_multi_channel_blob(qe->chan, peer, queue_agent_connect_type(), blob);
 
 		ast_copy_string(oldcontext, ast_channel_context(qe->chan), sizeof(oldcontext));
diff --git a/channels/chan_iax2.c b/channels/chan_iax2.c
index 43f7d2c635..3bf06d06ec 100644
--- a/channels/chan_iax2.c
+++ b/channels/chan_iax2.c
@@ -11137,18 +11137,18 @@ static int socket_process_helper(struct iax2_thread *thread)
 						if (iaxs[fr->callno]->pingtime <= peer->maxms) {
 							ast_log(LOG_NOTICE, "Peer '%s' is now REACHABLE! Time: %u\n", peer->name, iaxs[fr->callno]->pingtime);
 							ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);
-							blob = ast_json_pack("{s: s, s: i}",
+							blob = ast_json_pack("{s: s, s: I}",
 								"peer_status", "Reachable",
-								"time", iaxs[fr->callno]->pingtime);
+								"time", (ast_json_int_t)iaxs[fr->callno]->pingtime);
 							ast_devstate_changed(AST_DEVICE_NOT_INUSE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */
 						}
 					} else if ((peer->historicms > 0) && (peer->historicms <= peer->maxms)) {
 						if (iaxs[fr->callno]->pingtime > peer->maxms) {
 							ast_log(LOG_NOTICE, "Peer '%s' is now TOO LAGGED (%u ms)!\n", peer->name, iaxs[fr->callno]->pingtime);
 							ast_endpoint_set_state(peer->endpoint, AST_ENDPOINT_ONLINE);
-							blob = ast_json_pack("{s: s, s: i}",
+							blob = ast_json_pack("{s: s, s: I}",
 								"peer_status", "Lagged",
-								"time", iaxs[fr->callno]->pingtime);
+								"time", (ast_json_int_t)iaxs[fr->callno]->pingtime);
 							ast_devstate_changed(AST_DEVICE_UNAVAILABLE, AST_DEVSTATE_CACHABLE, "IAX2/%s", peer->name); /* Activate notification */
 						}
 					}
diff --git a/funcs/func_talkdetect.c b/funcs/func_talkdetect.c
index 9700a2451d..3a7b2ad648 100644
--- a/funcs/func_talkdetect.c
+++ b/funcs/func_talkdetect.c
@@ -205,7 +205,7 @@ static int talk_detect_audiohook_cb(struct ast_audiohook *audiohook, struct ast_
 			int64_t diff_ms = ast_tvdiff_ms(ast_tvnow(), td_params->talking_start);
 			diff_ms -= td_params->dsp_silence_threshold;
 
-			blob = ast_json_pack("{s: i}", "duration", diff_ms);
+			blob = ast_json_pack("{s: I}", "duration", (ast_json_int_t)diff_ms);
 			if (!blob) {
 				return 1;
 			}
diff --git a/main/aoc.c b/main/aoc.c
index 725e910717..c797610fc2 100644
--- a/main/aoc.c
+++ b/main/aoc.c
@@ -1739,13 +1739,13 @@ static struct ast_json *s_to_json(const struct ast_aoc_decoded *decoded)
 				decoded->aoc_s_entries[i].rate.duration.amount,
 				decoded->aoc_s_entries[i].rate.duration.multiplier);
 
-			time = ast_json_pack("{s:i, s:i}",
-				"Length", decoded->aoc_s_entries[i].rate.duration.time,
+			time = ast_json_pack("{s:I, s:i}",
+				"Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.time,
 				"Scale", decoded->aoc_s_entries[i].rate.duration.time_scale);
 
 			if (decoded->aoc_s_entries[i].rate.duration.granularity_time) {
-				granularity = ast_json_pack("{s:i, s:i}",
-					"Length", decoded->aoc_s_entries[i].rate.duration.granularity_time,
+				granularity = ast_json_pack("{s:I, s:i}",
+					"Length", (ast_json_int_t)decoded->aoc_s_entries[i].rate.duration.granularity_time,
 					"Scale", decoded->aoc_s_entries[i].rate.duration.granularity_time_scale);
 			}
 
diff --git a/main/ccss.c b/main/ccss.c
index 205dc1b063..b27287e443 100644
--- a/main/ccss.c
+++ b/main/ccss.c
@@ -1082,9 +1082,9 @@ static void cc_publish_offertimerstart(int core_id, const char *caller, unsigned
 {
 	struct ast_json *extras;
 
-	extras = ast_json_pack("{s: s, s: i}",
+	extras = ast_json_pack("{s: s, s: I}",
 		"caller", caller,
-		"expires", expires);
+		"expires", (ast_json_int_t)expires);
 
 	cc_publish(ast_cc_offertimerstart_type(), core_id, extras);
 	ast_json_unref(extras);
diff --git a/main/channel.c b/main/channel.c
index e95eac04d8..ff25c98569 100644
--- a/main/channel.c
+++ b/main/channel.c
@@ -3688,10 +3688,10 @@ static void send_dtmf_end_event(struct ast_channel *chan,
 	RAII_VAR(struct ast_json *, blob, NULL, ast_json_unref);
 	char digit_str[] = { digit, '\0' };
 
-	blob = ast_json_pack("{ s: s, s: s, s: i }",
+	blob = ast_json_pack("{ s: s, s: s, s: I }",
 		"digit", digit_str,
 		"direction", dtmf_direction_to_string(direction),
-		"duration_ms", duration_ms);
+		"duration_ms", (ast_json_int_t)duration_ms);
 	if (!blob) {
 		return;
 	}
diff --git a/main/core_local.c b/main/core_local.c
index 12e41f99ef..59c789abde 100644
--- a/main/core_local.c
+++ b/main/core_local.c
@@ -416,8 +416,8 @@ static void local_optimization_started_cb(struct ast_unreal_pvt *base, struct as
 		return;
 	}
 
-	json_object = ast_json_pack("{s: i, s: i}",
-			"dest", dest, "id", id);
+	json_object = ast_json_pack("{s: i, s: I}",
+			"dest", dest, "id", (ast_json_int_t)id);
 
 	if (!json_object) {
 		return;
@@ -458,7 +458,7 @@ static void local_optimization_finished_cb(struct ast_unreal_pvt *base, int succ
 		return;
 	}
 
-	json_object = ast_json_pack("{s: i, s: i}", "success", success, "id", id);
+	json_object = ast_json_pack("{s: i, s: I}", "success", success, "id", (ast_json_int_t)id);
 
 	if (!json_object) {
 		return;
diff --git a/main/rtp_engine.c b/main/rtp_engine.c
index e1a1e0b5d5..c56ec5fa31 100644
--- a/main/rtp_engine.c
+++ b/main/rtp_engine.c
@@ -2535,14 +2535,14 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
 		char str_lsr[32];
 
 		snprintf(str_lsr, sizeof(str_lsr), "%u", payload->report->report_block[i]->lsr);
-		json_report_block = ast_json_pack("{s: I, s: i, s: i, s: i, s: i, s: s, s: i}",
+		json_report_block = ast_json_pack("{s: I, s: I, s: I, s: I, s: I, s: s, s: I}",
 			"source_ssrc", (ast_json_int_t)payload->report->report_block[i]->source_ssrc,
-			"fraction_lost", payload->report->report_block[i]->lost_count.fraction,
-			"packets_lost", payload->report->report_block[i]->lost_count.packets,
-			"highest_seq_no", payload->report->report_block[i]->highest_seq_no,
-			"ia_jitter", payload->report->report_block[i]->ia_jitter,
+			"fraction_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.fraction,
+			"packets_lost", (ast_json_int_t)payload->report->report_block[i]->lost_count.packets,
+			"highest_seq_no", (ast_json_int_t)payload->report->report_block[i]->highest_seq_no,
+			"ia_jitter", (ast_json_int_t)payload->report->report_block[i]->ia_jitter,
 			"lsr", str_lsr,
-			"dlsr", payload->report->report_block[i]->dlsr);
+			"dlsr", (ast_json_int_t)payload->report->report_block[i]->dlsr);
 		if (!json_report_block
 			|| ast_json_array_append(json_rtcp_report_blocks, json_report_block)) {
 			ast_json_unref(json_rtcp_report_blocks);
@@ -2556,21 +2556,21 @@ static struct ast_json *rtcp_report_to_json(struct stasis_message *msg,
 
 		snprintf(sec, sizeof(sec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_sec);
 		snprintf(usec, sizeof(usec), "%lu", (unsigned long)payload->report->sender_information.ntp_timestamp.tv_usec);
-		json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: i, s: i, s: i}",
+		json_rtcp_sender_info = ast_json_pack("{s: s, s: s, s: I, s: I, s: I}",
 			"ntp_timestamp_sec", sec,
 			"ntp_timestamp_usec", usec,
-			"rtp_timestamp", payload->report->sender_information.rtp_timestamp,
-			"packets", payload->report->sender_information.packet_count,
-			"octets", payload->report->sender_information.octet_count);
+			"rtp_timestamp", (ast_json_int_t)payload->report->sender_information.rtp_timestamp,
+			"packets", (ast_json_int_t)payload->report->sender_information.packet_count,
+			"octets", (ast_json_int_t)payload->report->sender_information.octet_count);
 		if (!json_rtcp_sender_info) {
 			ast_json_unref(json_rtcp_report_blocks);
 			return NULL;
 		}
 	}
 
-	json_rtcp_report = ast_json_pack("{s: I, s: i, s: i, s: o, s: o}",
+	json_rtcp_report = ast_json_pack("{s: I, s: I, s: i, s: o, s: o}",
 		"ssrc", (ast_json_int_t)payload->report->ssrc,
-		"type", payload->report->type,
+		"type", (ast_json_int_t)payload->report->type,
 		"report_count", payload->report->reception_report_count,
 		"sender_information", json_rtcp_sender_info ?: ast_json_null(),
 		"report_blocks", json_rtcp_report_blocks);
diff --git a/main/stasis_channels.c b/main/stasis_channels.c
index cc7ab7d8c4..58d52bf10d 100644
--- a/main/stasis_channels.c
+++ b/main/stasis_channels.c
@@ -1111,11 +1111,11 @@ static struct ast_json *dtmf_end_to_json(
 		return NULL;
 	}
 
-	return ast_json_pack("{s: s, s: o, s: s, s: i, s: o}",
+	return ast_json_pack("{s: s, s: o, s: s, s: I, s: o}",
 		"type", "ChannelDtmfReceived",
 		"timestamp", ast_json_timeval(*tv, NULL),
 		"digit", digit,
-		"duration_ms", duration_ms,
+		"duration_ms", (ast_json_int_t)duration_ms,
 		"channel", json_channel);
 }
 
-- 
GitLab