From 25f2180999dafb807068313c4a329a163dd99f92 Mon Sep 17 00:00:00 2001
From: codyherzog <cherzog@intouchhealth.com>
Date: Mon, 7 Aug 2017 12:46:27 -0700
Subject: [PATCH] textops: Fix 'offset exceeds message size' crash.

Ensure that buffer is null terminated when subst_run() function is used.
---
 src/modules/textops/textops.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/modules/textops/textops.c b/src/modules/textops/textops.c
index 5048fbae5df..655f6381541 100644
--- a/src/modules/textops/textops.c
+++ b/src/modules/textops/textops.c
@@ -682,12 +682,19 @@ static int subst_helper_f(sip_msg_t* msg, struct subst_expr* se)
 	int off;
 	int ret;
 	int nmatches;
+	char c;
 
 	begin=get_header(msg);  /* start after first line to avoid replacing
 							* the uri */
 	off=begin-msg->buf;
 	ret=-1;
-	if ((lst=subst_run(se, begin, msg, &nmatches))==0)
+
+	c = msg->buf[msg->len];
+	msg->buf[msg->len] = '\0';
+	lst=subst_run(se, begin, msg, &nmatches);
+	msg->buf[msg->len] = c;
+
+	if (lst==0)
 		goto error; /* not found */
 	for (rpl=lst; rpl; rpl=rpl->next){
 		LM_DBG("%s: replacing at offset %d [%.*s] with [%.*s]\n",
@@ -826,6 +833,7 @@ static int subst_body_helper_f(struct sip_msg* msg, struct subst_expr* se)
 	int ret;
 	int nmatches;
 	str body;
+	char c;
 
 	body.s = get_body(msg);
 	if (body.s==0) {
@@ -842,7 +850,13 @@ static int subst_body_helper_f(struct sip_msg* msg, struct subst_expr* se)
 
 	off=begin-msg->buf;
 	ret=-1;
-	if ((lst=subst_run(se, begin, msg, &nmatches))==0)
+
+	c = body.s[body.len];
+	body.s[body.len] = '\0';
+	lst=subst_run(se, begin, msg, &nmatches);
+	body.s[body.len] = c;
+
+	if (lst==0)
 		goto error; /* not found */
 	for (rpl=lst; rpl; rpl=rpl->next){
 		LM_DBG("%s replacing at offset %d [%.*s] with [%.*s]\n",