res_pjsip_sdp_rtp,sorcery: Fix invalid access and memory leak respectively.

Valgrind found a memory leak and invalid access.

* Fix invalid access by sscanf() being fed a non-nul terminated string of
digits in res/res_pjsip_sdp_rtp.c:get_codecs().

* Fix memory leak in main/sorcery.c:sorcery_object_field_destructor().

* Fix potential NULL pointer dereference in
main/xmldoc.c:xmldoc_get_syntax_config_option().

Review: https://reviewboard.asterisk.org/r/4513/
........

Merged revisions 433199 from http://svn.asterisk.org/svn/asterisk/branches/13

git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@433200 65c4cc65-6c06-0410-ace0-fbb531ad65f3

diff --git a/main/sorcery.c b/main/sorcery.c
index cec3f1b..879723b 100644 (file)
--- a/main/sorcery.c
+++ b/main/sorcery.c
@@ -1078,6 +1078,7 @@ static void sorcery_object_field_destructor(void *obj)
 
        if (object_field->name_regex) {
                regfree(object_field->name_regex);
+               ast_free(object_field->name_regex);
        }
 }
 

diff --git a/main/xmldoc.c b/main/xmldoc.c
index 395df8e..e334e87 100644 (file)
--- a/main/xmldoc.c
+++ b/main/xmldoc.c
@@ -1239,7 +1239,7 @@ static char *xmldoc_get_syntax_config_option(struct ast_xml_node *fixnode, const
        regex = ast_xml_get_attribute(fixnode, "regex");
        ast_str_set(&syntax, 0, "%s = [%s] (Default: %s) (Regex: %s)\n",
                name,
-               type,
+               type ?: "",
                default_value ?: "n/a",
                regex ?: "False");
 

diff --git a/res/res_pjsip_sdp_rtp.c b/res/res_pjsip_sdp_rtp.c
index 6856b73..f396bfe 100644 (file)
--- a/res/res_pjsip_sdp_rtp.c
+++ b/res/res_pjsip_sdp_rtp.c
@@ -180,7 +180,11 @@ static void get_codecs(struct ast_sip_session *session, const struct pjmedia_sdp
                }
 
                if ((pjmedia_sdp_attr_get_fmtp(attr, &fmtp)) == PJ_SUCCESS) {
-                       sscanf(pj_strbuf(&fmtp.fmt), "%d", &num);
+                       ast_copy_pj_str(fmt_param, &fmtp.fmt, sizeof(fmt_param));
+                       if (sscanf(fmt_param, "%30d", &num) != 1) {
+                               continue;
+                       }
+
                        if ((format = ast_rtp_codecs_get_payload_format(codecs, num))) {
                                struct ast_format *format_parsed;