pbx.c: prevent potential crash from recursive replace()
authorScott Griepentrog <sgriepentrog@digium.com>
Wed, 21 May 2014 19:08:39 +0000 (19:08 +0000)
committerScott Griepentrog <sgriepentrog@digium.com>
Wed, 21 May 2014 19:08:39 +0000 (19:08 +0000)
Recurisve usage of replace() resulted in corruption of the
temporary string storage and potential crash.  By changing
the string to be allocated separtely per instance, this is
eliminated.

ASTERISK-23650 #comment Reported by: Roel van Meer
ASTERISK-23650 #close

Review: https://reviewboard.asterisk.org/r/3539/
........

Merged revisions 414214 from http://svn.asterisk.org/svn/asterisk/branches/1.8
........

Merged revisions 414215 from http://svn.asterisk.org/svn/asterisk/branches/11
........

Merged revisions 414216 from http://svn.asterisk.org/svn/asterisk/branches/12

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@414217 65c4cc65-6c06-0410-ace0-fbb531ad65f3

funcs/func_strings.c

index ac889ec..c3d7683 100644 (file)
@@ -798,7 +798,7 @@ static int replace(struct ast_channel *chan, const char *cmd, char *data, struct
                AST_APP_ARG(replace);
        );
        char *strptr, *varsubst;
-       struct ast_str *str = ast_str_thread_get(&result_buf, 16);
+       RAII_VAR(struct ast_str *, str, ast_str_create(16), ast_free);
        char find[256]; /* Only 256 characters possible */
        char replace[2] = "";
        size_t unused;