From 72f040281b09f8ad7c44558ea46e28fa6dee0565 Mon Sep 17 00:00:00 2001
From: russell <russell@f38db490-d61c-443f-a65b-d21fe96a405b>
Date: Sat, 6 May 2006 02:25:48 +0000
Subject: fix a problem where the frame's data pointer is overwritten by the
 newly allocated data buffer before the data can be copied from it.  This is
 in the ast_frisolate() function which is rarely used.  (issue #6732,
 stefankroon)

git-svn-id: http://svn.digium.com/svn/asterisk/branches/1.2@25160 f38db490-d61c-443f-a65b-d21fe96a405b
---
 frame.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

(limited to 'frame.c')

diff --git a/frame.c b/frame.c
index fa5538f36..cef3b8a83 100644
--- a/frame.c
+++ b/frame.c
@@ -304,6 +304,8 @@ void ast_frfree(struct ast_frame *fr)
 struct ast_frame *ast_frisolate(struct ast_frame *fr)
 {
 	struct ast_frame *out;
+	void *newdata;
+
 	if (!(fr->mallocd & AST_MALLOCD_HDR)) {
 		/* Allocate a new header if needed */
 		out = ast_frame_header_new();
@@ -318,27 +320,30 @@ struct ast_frame *ast_frisolate(struct ast_frame *fr)
 		out->offset = fr->offset;
 		out->src = NULL;
 		out->data = fr->data;
-	} else {
+	} else
 		out = fr;
-	}
+	
 	if (!(fr->mallocd & AST_MALLOCD_SRC)) {
 		if (fr->src)
 			out->src = strdup(fr->src);
-	} else
-		out->src = fr->src;
+	}
+	
 	if (!(fr->mallocd & AST_MALLOCD_DATA))  {
-		out->data = malloc(fr->datalen + AST_FRIENDLY_OFFSET);
-		if (!out->data) {
+		newdata = malloc(fr->datalen + AST_FRIENDLY_OFFSET);
+		if (!newdata) {
 			free(out);
 			ast_log(LOG_WARNING, "Out of memory\n");
 			return NULL;
 		}
-		out->data += AST_FRIENDLY_OFFSET;
+		newdata += AST_FRIENDLY_OFFSET;
 		out->offset = AST_FRIENDLY_OFFSET;
 		out->datalen = fr->datalen;
-		memcpy(out->data, fr->data, fr->datalen);
+		memcpy(newdata, fr->data, fr->datalen);
+		out->data = newdata;
 	}
+
 	out->mallocd = AST_MALLOCD_HDR | AST_MALLOCD_SRC | AST_MALLOCD_DATA;
+	
 	return out;
 }
 
-- 
cgit v1.2.3