telephony/libs/pjproject/patches/0201-potential-stack-buffer-overflow-when-parsing-message-as-a-STUN-client.patch

From 450baca94f475345542c6953832650c390889202 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Tue, 7 Jun 2022 12:00:13 +0800
Subject: [PATCH] Merge pull request from GHSA-26j7-ww69-c4qj

---
 pjlib-util/src/pjlib-util/stun_simple.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/pjlib-util/src/pjlib-util/stun_simple.c
+++ b/pjlib-util/src/pjlib-util/stun_simple.c
@@ -54,6 +54,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
 {
     pj_uint16_t msg_type, msg_len;
     char *p_attr;
+    int attr_max_cnt = PJ_ARRAY_SIZE(msg->attr);
 
     PJ_CHECK_STACK();
 
@@ -83,7 +84,7 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
     msg->attr_count = 0;
     p_attr = (char*)buf + sizeof(pjstun_msg_hdr);
 
-    while (msg_len > 0) {
+    while (msg_len > 0 && msg->attr_count < attr_max_cnt) {
 	pjstun_attr_hdr **attr = &msg->attr[msg->attr_count];
 	pj_uint32_t len;
 	pj_uint16_t attr_type;
@@ -111,6 +112,10 @@ PJ_DEF(pj_status_t) pjstun_parse_msg( vo
 	p_attr += len;
 	++msg->attr_count;
     }
+    if (msg->attr_count == attr_max_cnt) {
+	PJ_LOG(4, (THIS_FILE, "Warning: max number attribute %d reached.",
+		   attr_max_cnt));
+    }
 
     return PJ_SUCCESS;
 }