Commit d4ccfd55ff for asterisk.org

commit d4ccfd55ffd7cf6d73a6e5cde347a7464c301006
Author: Milan Kyselica <mil.kyselica@gmail.com>
Date:   Wed Apr 8 18:29:30 2026 +0200

    codec_codec2: Only process complete Codec2 frames in decoder

    The codec2_samples() function uses floor division (160 * datalen/6)
    to compute expected output samples, but the decode loop condition
    (x < datalen) iterates with ceiling behavior when datalen is not a
    multiple of CODEC2_FRAME_LEN. This mismatch causes the loop to
    decode one extra frame beyond what the framework bounds check
    budgeted for, leading to an out-of-bounds write on the output buffer.

    Change the loop condition to only process complete frames, matching
    the floor-division behavior of codec2_samples(). This also prevents
    an out-of-bounds read on the input side when fewer than
    CODEC2_FRAME_LEN bytes remain.

    Resolves: #GHSA-qf8j-jp7h-c5hx

diff --git a/codecs/codec_codec2.c b/codecs/codec_codec2.c
index 6d2a0f720c..1b9b536a59 100644
--- a/codecs/codec_codec2.c
+++ b/codecs/codec_codec2.c
@@ -77,7 +77,7 @@ static int codec2tolin_framein(struct ast_trans_pvt *pvt, struct ast_frame *f)
 	struct codec2_translator_pvt *tmp = pvt->pvt;
 	int x;

-	for (x = 0; x < f->datalen; x += CODEC2_FRAME_LEN) {
+	for (x = 0; x + CODEC2_FRAME_LEN <= f->datalen; x += CODEC2_FRAME_LEN) {
 		unsigned char *src = f->data.ptr + x;
 		int16_t *dst = pvt->outbuf.i16 + pvt->samples;