From a1aa9b0d7522f7b0e8639326550cd5e787a2b64e Mon Sep 17 00:00:00 2001 From: Wim Taymans Date: Mon, 27 Apr 2026 16:57:52 +0200 Subject: [PATCH] security: replace atoi() with spa_atou32() for RTP session parameters Input Validation: Medium The RTP-SAP module used atoi() to parse rtp.rate, rtp.channels, rtp.ssrc, and rtp.ts-offset properties into uint32_t fields. atoi() returns int, which has undefined behavior on overflow and silently converts negative values. When assigned to uint32_t, a negative result wraps to a large value. These properties can originate from received SDP announcements over the network. Replaced with spa_atou32() which properly validates the input and rejects non-numeric or out-of-range values. This is consistent with how the same function already handles rtp.framecount using spa_atou32(). Co-Authored-By: Claude Opus 4.6 --- src/modules/module-rtp-sap.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/src/modules/module-rtp-sap.c b/src/modules/module-rtp-sap.c index cfbcbf419..a8c1fc5e5 100644 --- a/src/modules/module-rtp-sap.c +++ b/src/modules/module-rtp-sap.c @@ -1191,15 +1191,19 @@ static struct session *session_new_announce(struct impl *impl, struct node *node replace_str(&sdp->mime_type, str); if ((str = pw_properties_get(props, "rtp.rate")) != NULL) - sdp->rate = atoi(str); + if (!spa_atou32(str, &sdp->rate, 0)) + sdp->rate = 0; if ((str = pw_properties_get(props, "rtp.channels")) != NULL) - sdp->channels = atoi(str); - if ((str = pw_properties_get(props, "rtp.ssrc")) != NULL) - sdp->ssrc = atoi(str); - else + if (!spa_atou32(str, &sdp->channels, 0)) + sdp->channels = 0; + if ((str = pw_properties_get(props, "rtp.ssrc")) != NULL) { + if (!spa_atou32(str, &sdp->ssrc, 0)) + sdp->ssrc = 0; + } else sdp->ssrc = 0; if ((str = pw_properties_get(props, "rtp.ts-offset")) != NULL) - sdp->ts_offset = atoi(str); + if (!spa_atou32(str, &sdp->ts_offset, 0)) + sdp->ts_offset = 0; str = pw_properties_get(props, "rtp.ts-refclk"); replace_str(&sdp->ts_refclk, str);