From 82e44a9f45cfb9e935f354986f91f5e2c85bf633 Mon Sep 17 00:00:00 2001
From: Tanu Kaskinen <tanu.kaskinen@digia.com>
Date: Thu, 29 Mar 2012 16:03:59 +0300
Subject: [PATCH] rtp: Fix rtp_port reading.

pa_atou() return value was not checked, and the cast of a
16-bit variable pointer to a 32-bit variable pointer could
corrupt cseq.
---
 src/modules/rtp/rtsp_client.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/src/modules/rtp/rtsp_client.c b/src/modules/rtp/rtsp_client.c
index 2c8b2dcf6..90521fe63 100644
--- a/src/modules/rtp/rtsp_client.c
+++ b/src/modules/rtp/rtsp_client.c
@@ -143,9 +143,17 @@ static void headers_read(pa_rtsp_client *c) {
 
         /* Now parse out the server port component of the response. */
         while ((token = pa_split(c->transport, delimiters, &token_state))) {
-            if ((pc = strstr(token, "="))) {
+            if ((pc = strchr(token, '='))) {
                 if (0 == strncmp(token, "server_port", 11)) {
-                    pa_atou(pc+1, (uint32_t*)(&c->rtp_port));
+                    uint32_t p;
+
+                    if (pa_atou(pc + 1, &p) < 0 || p <= 0 || p > 0xffff) {
+                        pa_log("Invalid SETUP response (invalid server_port).");
+                        pa_xfree(token);
+                        return;
+                    }
+
+                    c->rtp_port = p;
                     pa_xfree(token);
                     break;
                 }