mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-06 06:46:29 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

rtp-sap: handle out-of-bound SAP packet read

Browse source 
If the SAP packet contains the MIME type string but no SDP payload after it,
sdp would point past the null-terminated buffer. Check that we are
still inside the packet before parsing the SDP.
This commit is contained in:
Wim Taymans 2026-05-06 11:35:31 +02:00
parent d32a21c4ee
commit 364436dd31
1 changed files with 4 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/modules/module-rtp-sap.c
View file

@ -1756,9 +1756,11 @@ static int parse_sap(struct impl *impl, void *data, size_t len)
if (spa_strstartswith(mime, "v=0")) {
sdp = mime;
mime = SAP_MIME_TYPE;
} else if (spa_streq(mime, SAP_MIME_TYPE))
} else if (spa_streq(mime, SAP_MIME_TYPE)) {
sdp = SPA_PTROFF(mime, strlen(mime)+1, char);
else
if (sdp >= SPA_PTROFF(data, len, char))
return -EINVAL;
} else
return -EINVAL;
pw_log_debug("got SAP: %s %s", mime, sdp);