When decode_length returns the length there is a check to see if that
length is negative, if so the decode loop breaks as this means the
limit has been reached. The problem here is that length is an
unsigned int, so length can never be negative. This resulted in
an infinite loop.
(issue #17352)
git-svn-id: https://origsvn.digium.com/svn/asterisk/trunk@264400
65c4cc65-6c06-0410-ace0-
fbb531ad65f3
{
unsigned int octet_cnt;
unsigned int octet_idx;
- unsigned int length;
unsigned int i;
+ int length; /* a negative length indicates the limit has been reached in decode_length. */
const uint8_t **pbuf;
for (octet_idx = 0, *p_num_octets = 0; ; octet_idx += octet_cnt) {