Description: CVE-2021-43299
Origin: https://github.com/pjsip/pjproject/commit/d979253c924a686fa511d705be1f3ad0c5b20337
Last-Update: 2022-02-22

--- pjproject-2.5.5~dfsg.orig/pjmedia/include/pjmedia/wav_playlist.h
+++ pjproject-2.5.5~dfsg/pjmedia/include/pjmedia/wav_playlist.h
@@ -49,6 +49,8 @@ PJ_BEGIN_DECL
  * @param pool		Pool to create memory buffers for this port.
  * @param port_label	Optional label to set as the port name.
  * @param file_list	Array of WAV file names.
+ *  		Each filename's length must be smaller than
+ * 			PJ_MAXPATH.
  * @param file_count	Number of files in the array.
  * @param ptime		The duration (in miliseconds) of each frame read
  *			from this port. If the value is zero, the default
--- pjproject-2.5.5~dfsg.orig/pjmedia/src/pjmedia/wav_playlist.c
+++ pjproject-2.5.5~dfsg/pjmedia/src/pjmedia/wav_playlist.c
@@ -257,7 +257,9 @@ PJ_DEF(pj_status_t) pjmedia_wav_playlist
     /* Be sure all files exist	*/
     for (index=0; index<file_count; index++) {
 
-	PJ_ASSERT_RETURN(file_list[index].slen < PJ_MAXPATH, PJ_ENAMETOOLONG);
+	PJ_ASSERT_RETURN(file_list[index].slen >= 0, PJ_ETOOSMALL);
+	if (file_list[index].slen >= PJ_MAXPATH)
+	    return PJ_ENAMETOOLONG;
 
 	pj_memcpy(filename, file_list[index].ptr, file_list[index].slen);
 	filename[file_list[index].slen] = '\0';
--- pjproject-2.5.5~dfsg.orig/pjsip/include/pjsua-lib/pjsua.h
+++ pjproject-2.5.5~dfsg/pjsip/include/pjsua-lib/pjsua.h
@@ -6259,6 +6259,7 @@ PJ_DECL(pj_status_t) pjsua_conf_get_sign
  *			WAV files are supported, and the WAV file MUST be
  *			formatted as 16bit PCM mono/single channel (any
  *			clock rate is supported).
+ * 			Filename's length must be smaller than PJ_MAXPATH.
  * @param options	Optional option flag. Application may specify
  *			PJMEDIA_FILE_NO_LOOP to prevent playback loop.
  * @param p_id		Pointer to receive player ID.
@@ -6277,6 +6278,8 @@ PJ_DECL(pj_status_t) pjsua_player_create
  * @param file_names	Array of file names to be added to the play list.
  *			Note that the files must have the same clock rate,
  *			number of channels, and number of bits per sample.
+ * 			Each filename's length must be smaller than
+ * 			PJ_MAXPATH.
  * @param file_count	Number of files in the array.
  * @param label		Optional label to be set for the media port.
  * @param options	Optional option flag. Application may specify
@@ -6371,6 +6374,7 @@ PJ_DECL(pj_status_t) pjsua_player_destro
  * @param filename	Output file name. The function will determine the
  *			default format to be used based on the file extension.
  *			Currently ".wav" is supported on all platforms.
+ * 			Filename's length must be smaller than PJ_MAXPATH.
  * @param enc_type	Optionally specify the type of encoder to be used to
  *			compress the media, if the file can support different
  *			encodings. This value must be zero for now.
--- pjproject-2.5.5~dfsg.orig/pjsip/src/pjsua-lib/pjsua_aud.c
+++ pjproject-2.5.5~dfsg/pjsip/src/pjsua-lib/pjsua_aud.c
@@ -1034,6 +1034,9 @@ PJ_DEF(pj_status_t) pjsua_player_create(
     if (pjsua_var.player_cnt >= PJ_ARRAY_SIZE(pjsua_var.player))
 	return PJ_ETOOMANY;
 
+    if (filename->slen >= PJ_MAXPATH)
+    	return PJ_ENAMETOOLONG;
+
     PJ_LOG(4,(THIS_FILE, "Creating file player: %.*s..",
 	      (int)filename->slen, filename->ptr));
     pj_log_push_indent();
@@ -1351,6 +1354,11 @@ PJ_DEF(pj_status_t) pjsua_recorder_creat
     /* Don't support encoding type at present */
     PJ_ASSERT_RETURN(enc_type == 0, PJ_EINVAL);
 
+    if (filename->slen >= PJ_MAXPATH)
+    	return PJ_ENAMETOOLONG;
+    if (filename->slen < 4)
+    	return PJ_EINVALIDOP;
+
     PJ_LOG(4,(THIS_FILE, "Creating recorder %.*s..",
 	      (int)filename->slen, filename->ptr));
     pj_log_push_indent();
--- pjproject-2.5.5~dfsg.orig/pjsip/src/pjsua-lib/pjsua_dump.c
+++ pjproject-2.5.5~dfsg/pjsip/src/pjsua-lib/pjsua_dump.c
@@ -932,6 +932,7 @@ PJ_DEF(pj_status_t) pjsua_call_dump( pjs
 
     PJ_ASSERT_RETURN(call_id>=0 && call_id<(int)pjsua_var.ua_cfg.max_calls,
 		     PJ_EINVAL);
+	PJ_ASSERT_RETURN(maxlen > 3, PJ_ETOOSMALL);
 
     status = acquire_call("pjsua_call_dump()", call_id, &call, &dlg);
     if (status != PJ_SUCCESS)
@@ -945,11 +946,13 @@ PJ_DEF(pj_status_t) pjsua_call_dump( pjs
     print_call(indent, call_id, tmp, sizeof(tmp));
 
     len = (int)pj_ansi_strlen(tmp);
-    pj_ansi_strcpy(buffer, tmp);
+    if (len + 3 > maxlen) len = maxlen - 3;
+    pj_ansi_strncpy(buffer, tmp, len);
 
     p += len;
     *p++ = '\r';
     *p++ = '\n';
+    *p = '\0';
 
     /* Calculate call duration */
     if (call->conn_time.sec != 0) {
