{14, "Input bytes requested beyond end of message" },
{15, "Maximum number of UDVM cycles reached" },
{16, "UDVM stack underflow" },
+ {17, "state_length is 0, but state_begin is non-zero" },
{ 255, "This branch isn't coded yet" },
{ 0, NULL }
};
* Debug g_warning("Sigcomp init: Storing partial state =%s",partial_state_str);
*/
memset(sip_sdp_buff, 0, 8);
+ sip_sdp_buff[0] = SIP_SDP_STATE_LENGTH >> 8;
+ sip_sdp_buff[1] = SIP_SDP_STATE_LENGTH & 0xff;
i = 0;
while ( i < SIP_SDP_STATE_LENGTH ){
sip_sdp_buff[i+8] = sip_sdp_static_dictionaty_for_sigcomp[i];
partial_state_str = bytes_to_ep_str(presence_state_identifier, 6);
- memset(sip_sdp_buff, 0, 8);
+ memset(presence_buff, 0, 8);
+ presence_buff[0] = PRESENCE_STATE_LENGTH >> 8;
+ presence_buff[1] = PRESENCE_STATE_LENGTH & 0xff;
i = 0;
while ( i < PRESENCE_STATE_LENGTH ){
presence_buff[i+8] = presence_static_dictionary_for_sigcomp[i];
int result_code = 0;
guint32 n;
guint16 k;
+ guint16 buf_size_real;
guint16 byte_copy_right;
guint16 byte_copy_left;
char partial_state[STATE_BUFFER_SIZE]; /* Size is 6 - 20 */
* If k = byte_copy_right then set n := byte_copy_left, else set n := k
*
*/
- /*
- if ( ( state_begin + state_length ) > sip_sdp_state_length )
- return 3;
- */
+
/*
* buff = Where "state" will be stored
* p_id_start = Partial state identifier start pos in the buffer(buff)
* FALSE = Indicates that state_* is in the stored state
*/
+ buf_size_real = (state_buff[0] << 8) | state_buff[1];
+
/*
* The value of
* state_length MUST be taken from the returned item of state in the
*
* The same is true of state_address, state_instruction.
*/
- if ( *state_length == 0 ){
- *state_length = state_buff[0] << 8;
- *state_length = *state_length | state_buff[1];
+ if (*state_length == 0) {
+ *state_length = buf_size_real;
}
if ( *state_address == 0 ){
*state_address = state_buff[2] << 8;
*state_instruction = *state_instruction | state_buff[5];
}
+ /*
+ * Decompression failure occurs if bytes are copied from beyond the end of
+ * the state_value.
+ */
+ if ((state_begin + *state_length) > buf_size_real) {
+ return 3;
+ }
+
+ /*
+ * Note that decompression failure will always occur if the state_length
+ * operand is set to 0 but the state_begin operand is non-zero.
+ */
+ if (*state_length == 0 && state_begin != 0) {
+ return 17;
+ }
+
n = state_begin + 8;
k = *state_address;