File 0001-Patch-2.1-Fixes-heap-buffer-overflow-in-osip_body_to_s.patch of Package libosip2.4662
--- src/osipparser2/osip_body.c
+++ src/osipparser2/osip_body.c
@@ -401,7 +401,7 @@
osip_free(ptr);
return i;
}
- if (length < tmp_body - ptr + strlen(tmp) + 4) {
+ if (length <= tmp_body - ptr + strlen(tmp) + 4) {
size_t len;
len = tmp_body - ptr;
@@ -416,9 +416,18 @@
}
if ((osip_list_size(body->headers) > 0) || (body->content_type != NULL)) {
+ if (length <= tmp_body - ptr + 2) {
+ size_t len;
+
+ len = tmp_body - ptr;
+ length = length + 2;
+ ptr = osip_realloc (ptr, length);
+ tmp_body = ptr + len;
+ }
+
tmp_body = osip_strn_append(tmp_body, CRLF, 2);
}
- if (length < tmp_body - ptr + body->length + 4) {
+ if (length <= tmp_body - ptr + body->length + 4) {
size_t len;
len = tmp_body - ptr;