Impact
It is a denial-of-service vulnerability and affects applications on a 32-bit system that:
- uses PJSIP to play/read invalid media files (WAV/AVI), or
- directly uses PJLIB API
pj_file_*() for file I/O operations.
Note that the vulnerability shouldn't affect 64-bit apps.
Patches
The patch is available as commit 947bc1e in the master branch.
Workarounds
Apps can verify the media files and make sure they are valid, or reject any media file received from an unknown/untrusted source. And if app is using PJLIB API directly for file I/O, it needs to make sure that the parameter passed to the API is valid and doesn't trigger overflow.
For more information
If you have any questions or comments about this advisory:
Email us at security@pjsip.org
tianstcht Analyst
Impact
It is a denial-of-service vulnerability and affects applications on a 32-bit system that:
pj_file_*()for file I/O operations.Note that the vulnerability shouldn't affect 64-bit apps.
Patches
The patch is available as commit 947bc1e in the master branch.
Workarounds
Apps can verify the media files and make sure they are valid, or reject any media file received from an unknown/untrusted source. And if app is using PJLIB API directly for file I/O, it needs to make sure that the parameter passed to the API is valid and doesn't trigger overflow.
For more information
If you have any questions or comments about this advisory:
Email us at security@pjsip.org