Commit 6f414ec771 for asterisk.org

commit 6f414ec771eaa3318a4b2d28f70fa387196ae283
Author: George Joseph <gjoseph@sangoma.com>
Date:   Mon Jun 15 07:41:10 2026 -0600

    chan_unistim.c: Prevent overrun of phone_number field.

    Add a check to key_dial_page() to ensure that dialed digits won't overrun
    the phone_number field.

    Resolves: #GHSA-3g56-cgrh-95p5

diff --git a/channels/chan_unistim.c b/channels/chan_unistim.c
index d008b6bc99..95d4b89a9b 100644
--- a/channels/chan_unistim.c
+++ b/channels/chan_unistim.c
@@ -455,6 +455,8 @@ static struct unistim_device {
 	struct unistim_device *next;
 } *devices = NULL;

+#define MAX_PHONE_NUMBER_LENGTH (AST_MAX_EXTENSION - 1)
+
 static struct unistimsession {
 	ast_mutex_t lock;
 	struct sockaddr_in sin;	 /*!< IP address of the phone */
@@ -3577,6 +3579,12 @@ static void key_dial_page(struct unistimsession *pte, char keycode)
 	if ((keycode >= KEY_0) && (keycode <= KEY_SHARP)) {
 		int i = pte->device->size_phone_number;

+		/*
+		 * If the phone_number buffer is already full, bail now to prevent an overrun.
+		 */
+		if (pte->device->size_phone_number >= MAX_PHONE_NUMBER_LENGTH) {
+			return;
+		}
 		if (pte->device->size_phone_number == 0) {
 			send_tone(pte, 0, 0);
 		}