path: root/src
diff options
authorPhilipp Maier <pmaier@sysmocom.de>2019-03-12 09:15:47 +0100
committerPhilipp Maier <pmaier@sysmocom.de>2019-03-12 09:29:06 +0100
commit5ca043655a0b31ff79f3ee22fc5a957f571f1df8 (patch)
tree41c5e4e9f4f3e1df208d1754fa4bce8c549bfbea /src
parent3e77d5728130c8996369be88ed9be15f8ead274e (diff)
amr: be sure result of osmo_amr_bwe_to_oa() fits into int buf
osmo_amr_bwe_to_oa() uses an internal buffer with static size to store intermediate results. The buffer is large enough for any real world situation, but the check that tests if the result would fit into the internal buffer is incorrect. It checks if there is enough room for the existing payload, but does not include the expected growth of the payload. Eventually the buffer could be overrun by one byte if one would put a 256 byte long AMR payload. Fixes: CID#195926 Change-Id: I4d7ac570a0b48368a82183673c46bca5f235f228
Diffstat (limited to 'src')
1 files changed, 1 insertions, 1 deletions
diff --git a/src/amr.c b/src/amr.c
index 9b423e8..9c63f60 100644
--- a/src/amr.c
+++ b/src/amr.c
@@ -158,7 +158,7 @@ int osmo_amr_bwe_to_oa(uint8_t *payload, unsigned int payload_len,
if (payload_len + 1 > payload_maxlen)
return -1;
- if (payload_len > sizeof(buf))
+ if (payload_len + 1 > sizeof(buf))
return -1;
buf[0] = payload[0] & 0xf0;