From 25bbb42ec25b5a241edcf65ac4d5c801ce223804 Mon Sep 17 00:00:00 2001
From: Mike Jerris <mike@jerris.com>
Date: Mon, 6 Mar 2017 12:51:29 -0600
Subject: [PATCH] FS-10001: [core] Fix Buffer overflow collecting digits

---
 src/mod/applications/mod_dptools/mod_dptools.c | 3 +++
 src/switch_ivr.c                               | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/src/mod/applications/mod_dptools/mod_dptools.c b/src/mod/applications/mod_dptools/mod_dptools.c
index 937d214827..04f35b538f 100644
--- a/src/mod/applications/mod_dptools/mod_dptools.c
+++ b/src/mod/applications/mod_dptools/mod_dptools.c
@@ -935,6 +935,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 					if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
 						switch_ivr_play_file(session, NULL, file, NULL);
 					}
+					buf[0] = '\0';
 					switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
 					continue;
 				}
@@ -954,6 +955,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 								if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_failed"))) {
 									switch_ivr_play_file(session, NULL, file, NULL);
 								}
+								buf[0] = '\0';
 								switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 5000, 0, 0);
 							}
 						}
@@ -962,6 +964,7 @@ SWITCH_STANDARD_APP(eavesdrop_function)
 					if ((file = switch_channel_get_variable(channel, "eavesdrop_indicate_idle"))) {
 						switch_ivr_play_file(session, NULL, file, NULL);
 					}
+					buf[0] = '\0';
 					switch_ivr_collect_digits_count(session, buf, buflen, 1, "*", &terminator, 2000, 0, 0);
 				}
 			}
diff --git a/src/switch_ivr.c b/src/switch_ivr.c
index 76d0158b1a..770c3bb81f 100644
--- a/src/switch_ivr.c
+++ b/src/switch_ivr.c
@@ -1333,6 +1333,11 @@ SWITCH_DECLARE(switch_status_t) switch_ivr_collect_digits_count(switch_core_sess
 	int sval = 0;
 	const char *var;
 
+
+	if (x >= buflen || x >= maxdigits) {
+		return SWITCH_STATUS_FALSE;
+	}
+
 	if ((var = switch_channel_get_variable(channel, SWITCH_SEND_SILENCE_WHEN_IDLE_VARIABLE)) && (sval = atoi(var))) {
 		switch_core_session_get_read_impl(session, &imp);