From 364436dd31ca7f2332ee4601c3b2fb576e8c566d Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Wed, 6 May 2026 11:35:31 +0200 Subject: [PATCH] rtp-sap: handle out-of-bound SAP packet read If the SAP packet contains the MIME type string but no SDP payload after it, sdp would point past the null-terminated buffer. Check that we are still inside the packet before parsing the SDP. --- src/modules/module-rtp-sap.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/modules/module-rtp-sap.c b/src/modules/module-rtp-sap.c index 97bedfb2a..9a8208c15 100644 --- a/src/modules/module-rtp-sap.c +++ b/src/modules/module-rtp-sap.c @@ -1756,9 +1756,11 @@ static int parse_sap(struct impl *impl, void *data, size_t len) if (spa_strstartswith(mime, "v=0")) { sdp = mime; mime = SAP_MIME_TYPE; - } else if (spa_streq(mime, SAP_MIME_TYPE)) + } else if (spa_streq(mime, SAP_MIME_TYPE)) { sdp = SPA_PTROFF(mime, strlen(mime)+1, char); - else + if (sdp >= SPA_PTROFF(data, len, char)) + return -EINVAL; + } else return -EINVAL; pw_log_debug("got SAP: %s %s", mime, sdp);