mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-08 12:06:40 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

sap: avoid reading past the end of the string

Browse source 
parse_sdp_a_rtpmap used c += strlen(c) + 1 to skip past the MIME type to the
rate/channels part, but if the a=rtpmap: line had no / separator, strcspn
returned the full string length and the +1 advanced past the null terminator.

Fix this by checking if / was actually found, returning -EINVAL if not.
This commit is contained in:
Wim Taymans 2026-05-08 11:48:51 +02:00
parent 7fd3e13a3e
commit 6d3122c1b1
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/modules/module-rtp-sap.c
View file

@ -1564,6 +1564,8 @@ static int parse_sdp_i(struct impl *impl, char *c, struct sdp_info *info)
return 0;
}
/* a=rtpmap:<payload type> <encoding name>/<clock rate> [/<encoding parameters>]
*/
static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
{
int payload, len, rate, channels;
@ -1583,11 +1585,14 @@ static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
return 0;
c += len;
c[strcspn(c, "/")] = 0;
len = strcspn(c, "/");
if (c[len] == '\0')
return -EINVAL;
c[len] = 0;
info->mime_type = strdup(c);
if (info->mime_type == NULL)
return -errno;
c += strlen(c) + 1;
c += len + 1;
if (sscanf(c, "%u/%u", &rate, &channels) == 2) {
info->channels = channels;