mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-27 21:37:37 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

sap: avoid reading past the end of the string

Browse source 
parse_sdp_a_rtpmap used c += strlen(c) + 1 to skip past the MIME type to the
rate/channels part, but if the a=rtpmap: line had no / separator, strcspn
returned the full string length and the +1 advanced past the null terminator.

Fix this by checking if / was actually found, returning -EINVAL if not.
This commit is contained in:
Wim Taymans 2026-05-08 11:48:51 +02:00
parent 7fd3e13a3e
commit 6d3122c1b1
1 changed files with 7 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
src/modules/module-rtp-sap.c
View file

@ -1564,6 +1564,8 @@ static int parse_sdp_i(struct impl *impl, char *c, struct sdp_info *info)
return 0; return 0;
} }
/* a=rtpmap:<payload type> <encoding name>/<clock rate> [/<encoding parameters>]
*/
static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info) static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
{ {
int payload, len, rate, channels; int payload, len, rate, channels;
@ -1583,11 +1585,14 @@ static int parse_sdp_a_rtpmap(struct impl *impl, char *c, struct sdp_info *info)
return 0; return 0;
c += len; c += len;
c[strcspn(c, "/")] = 0; len = strcspn(c, "/");
if (c[len] == '\0')
return -EINVAL;
c[len] = 0;
info->mime_type = strdup(c); info->mime_type = strdup(c);
if (info->mime_type == NULL) if (info->mime_type == NULL)
return -errno; return -errno;
c += strlen(c) + 1; c += len + 1;
if (sscanf(c, "%u/%u", &rate, &channels) == 2) { if (sscanf(c, "%u/%u", &rate, &channels) == 2) {
info->channels = channels; info->channels = channels;