[sipX-dev] proposed fix for XPB-1023
Hi all,
Here is the root cause of the issue XPB-1023.
In a misformatted message, XPB-1023 as an example, in SdpBody,codecCount might not match the media type count. In SdpBody::getBestAudioCodecs, it allocates an array to hold the codec data with the size of codecCount. Then later it tries to fill/delete the array with size of mediaTypeCount. If codecCount < meidaTypeCount, then it tries to access some memory which does not belong to it, and caused the crash.
The proposed fix is to adjust the array size if there is a mismatch between codecCount and mediaTypeCount. To make sure the array is big enough to hold the data being processed.
Patch is attached. Have tested the fix. It worked fine.
Please let me know if the
fix is acceptable.
Thanks
Huijun
Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the
All-new Yahoo! Mail
Index: sipXtackLib/src/net/SdpBody.cpp
===================================================================
--- sipXtackLib/src/net/SdpBody.cpp (revision 9324)
+++ sipXtackLib/src/net/SdpBody.cpp (working copy)
@@ -898,7 +898,25 @@
getMediaPayloadType(mediaVideoIndex, MAXIMUM_MEDIA_TYPES,
&numVideoTypes, videoPayloadTypes);
+
+ // This is to handle the case that a mis-formatted message could
have codecCount
+ // not matching medieType count, we want to make sure we allocated
enough space for
+ // the array to "forgive" or "tolerate" this case.
+ if(localRtpCodecs.getCodecCount()<numAudioTypes ||
localRtpCodecs.getCodecCount()<numVideoTypes)
+ {
+ delete [] codecsInCommonArray;
+ if(numAudioTypes<=numVideoTypes)
+ {
+ codecsInCommonArray = new SdpCodec*[numVideoTypes];
+ memset(codecsInCommonArray, 0,
sizeof(SdpCodec*)*numVideoTypes);
+ }
+ else
+ {
+ codecsInCommonArray = new SdpCodec*[numAudioTypes];
+ memset(codecsInCommonArray, 0,
sizeof(SdpCodec*)*numAudioTypes);
+ }
+ }
getCodecsInCommon(numAudioTypes,
numVideoTypes,
audioPayloadTypes,
