From 6d3122c1b126373c2ca0eed8389fa1c92f3689f6 Mon Sep 17 00:00:00 2001
From: Wim Taymans <wtaymans@redhat.com>
Date: Fri, 8 May 2026 11:48:51 +0200
Subject: [PATCH] sap: avoid reading past the end of the string

parse_sdp_a_rtpmap used c += strlen(c) + 1 to skip past the MIME type to the
rate/channels part, but if the a=rtpmap: line had no / separator, strcspn
returned the full string length and the +1 advanced past the null terminator.

Fix this by checking if / was actually found, returning -EINVAL if not.
---
 src/modules/module-rtp-sap.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/modules/module-rtp-sap.c b/src/modules/module-rtp-sap.c
index 3d4cfa086..21e387eba 100644
--- a/src/modules/module-rtp-sap.c
+++ b/src/modules/module-rtp-sap.c
@@ -1564,6 +1564,8 @@ static int parse_sdp_i(struct impl *impl, char *c, struct sdp_info *info)
 	return 0;
 }
 
+/* a=rtpmap:<payload type> <encoding name>/<clock rate> [/<encoding parameters>]
+ */
 static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
 {
 	int payload, len, rate, channels;
@@ -1583,11 +1585,14 @@ static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
 		return 0;
 
 	c += len;
-	c[strcspn(c, "/")] = 0;
+	len = strcspn(c, "/");
+	if (c[len] == '\0')
+		return -EINVAL;
+	c[len] = 0;
 	info->mime_type = strdup(c);
 	if (info->mime_type == NULL)
 		return -errno;
-	c += strlen(c) + 1;
+	c += len + 1;
 
 	if (sscanf(c, "%u/%u", &rate, &channels) == 2) {
 		info->channels = channels;