security: replace atoi() with spa_atou32() for RTP session parameters

Input Validation: Medium The RTP-SAP module used atoi() to parse rtp.rate, rtp.channels, rtp.ssrc, and rtp.ts-offset properties into uint32_t fields. atoi() returns int, which has undefined behavior on overflow and silently converts negative values. When assigned to uint32_t, a negative result wraps to a large value. These properties can originate from received SDP announcements over the network. Replaced with spa_atou32() which properly validates the input and rejects non-numeric or out-of-range values. This is consistent with how the same function already handles rtp.framecount using spa_atou32(). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-29 06:46:38 -04:00 · 2026-04-27 16:57:52 +02:00 · 2026-04-27 16:57:52 +02:00 · a1aa9b0d75
commit a1aa9b0d75
parent 7465199fff
1 changed files with 10 additions and 6 deletions
--- a/src/modules/module-rtp-sap.c
+++ b/src/modules/module-rtp-sap.c
@ -1191,15 +1191,19 @@ static struct session *session_new_announce(struct impl *impl, struct node *node
 	replace_str(&sdp->mime_type, str);

 	if ((str = pw_properties_get(props, "rtp.rate")) != NULL)
-		sdp->rate = atoi(str);
+		if (!spa_atou32(str, &sdp->rate, 0))
+			sdp->rate = 0;
 	if ((str = pw_properties_get(props, "rtp.channels")) != NULL)
-		sdp->channels = atoi(str);
-	if ((str = pw_properties_get(props, "rtp.ssrc")) != NULL)
-		sdp->ssrc = atoi(str);
-	else
+		if (!spa_atou32(str, &sdp->channels, 0))
+			sdp->channels = 0;
+	if ((str = pw_properties_get(props, "rtp.ssrc")) != NULL) {
+		if (!spa_atou32(str, &sdp->ssrc, 0))
+			sdp->ssrc = 0;
+	} else
 		sdp->ssrc = 0;
 	if ((str = pw_properties_get(props, "rtp.ts-offset")) != NULL)
-		sdp->ts_offset = atoi(str);
+		if (!spa_atou32(str, &sdp->ts_offset, 0))
+			sdp->ts_offset = 0;
 	str = pw_properties_get(props, "rtp.ts-refclk");
 	replace_str(&sdp->ts_refclk, str);