Commit 88fa1f95ca for freeswitch.com
commit 88fa1f95cac88324d26b5082bfd11a52b87b9002
Author: Andrey Volk <andywolk@gmail.com>
Date: Fri Jan 16 23:10:23 2026 +0300
[libesl] Fix heap buffer overflow in esl_buffer_write (#2979)
diff --git a/libs/esl/src/esl_buffer.c b/libs/esl/src/esl_buffer.c
index d8e206078e..510ce2f405 100644
--- a/libs/esl/src/esl_buffer.c
+++ b/libs/esl/src/esl_buffer.c
@@ -260,7 +260,7 @@ ESL_DECLARE(esl_size_t) esl_buffer_read_packet(esl_buffer_t *buffer, void *data,
ESL_DECLARE(esl_size_t) esl_buffer_write(esl_buffer_t *buffer, const void *data, esl_size_t datalen)
{
- esl_size_t freespace, actual_freespace;
+ esl_size_t freespace;
esl_assert(buffer != NULL);
esl_assert(data != NULL);
@@ -270,15 +270,19 @@ ESL_DECLARE(esl_size_t) esl_buffer_write(esl_buffer_t *buffer, const void *data,
return buffer->used;
}
- actual_freespace = buffer->datalen - buffer->actually_used;
- if (actual_freespace < datalen && (!buffer->max_len || (buffer->used + datalen <= buffer->max_len))) {
+ /* Enforce max_len limit before any write */
+ if (buffer->max_len && (buffer->used + datalen > buffer->max_len)) {
+ return 0;
+ }
+
+ freespace = buffer->datalen - buffer->actually_used;
+ if (freespace < datalen) {
memmove(buffer->data, buffer->head, buffer->used);
buffer->head = buffer->data;
buffer->actually_used = buffer->used;
+ freespace = buffer->datalen - buffer->actually_used;
}
- freespace = buffer->datalen - buffer->used;
-
/*
if (buffer->data != buffer->head) {
memmove(buffer->data, buffer->head, buffer->used);
@@ -289,25 +293,26 @@ ESL_DECLARE(esl_size_t) esl_buffer_write(esl_buffer_t *buffer, const void *data,
if (freespace < datalen) {
esl_size_t new_size, new_block_size;
void *data1;
-
+
new_size = buffer->datalen + datalen;
new_block_size = buffer->datalen + buffer->blocksize;
if (new_block_size > new_size) {
new_size = new_block_size;
}
- buffer->head = buffer->data;
+
data1 = realloc(buffer->data, new_size);
if (!data1) {
return 0;
}
+
buffer->data = data1;
buffer->head = buffer->data;
buffer->datalen = new_size;
}
- freespace = buffer->datalen - buffer->used;
+ freespace = buffer->datalen - buffer->actually_used;
if (freespace < datalen) {
return 0;