From 9d2b763e29116e184e2f893f68cc5e4c66f28bcc Mon Sep 17 00:00:00 2001
From: Lev Melnikovsky <melnikovsky@gmail.com>
Date: Wed, 4 Nov 2015 12:42:21 +0200
Subject: [PATCH] rtp: fix non null terminated string / non portable sscanf

In rtp.c:

if (sscanf(t+9, "%i %64c", &_payload, c) == 2)

the string c seems to be non-null terminated. It is later used as
following:

c[strcspn(c, "\n")] = 0;

The same piece of code is responsible for the inability of pulseaudio
on OpenWRT to handle RTP stream at the rate 48000 from another
machine:

[pulseaudio] sdp.c: Failed to parse SDP data: missing data.

It turns out that uClibc does not agree with glibc about "%64c", see
http://git.uclibc.org/uClibc/tree/docs/Glibc_vs_uClibc_Differences.txt

BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=92568
---
 src/modules/rtp/sdp.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/modules/rtp/sdp.c b/src/modules/rtp/sdp.c
index f35d6891f..14953cf78 100644
--- a/src/modules/rtp/sdp.c
+++ b/src/modules/rtp/sdp.c
@@ -213,15 +213,16 @@ pa_sdp_info *pa_sdp_parse(const char *t, pa_sdp_info *i, int is_goodbye) {
             if (i->payload <= 127) {
                 char c[64];
                 int _payload;
+                int len;
 
-                if (sscanf(t+9, "%i %64c", &_payload, c) == 2) {
-
+                if (sscanf(t + 9, "%i %n", &_payload, &len) == 1) {
                     if (_payload < 0 || _payload > 127) {
                         pa_log("Failed to parse SDP data: invalid payload %i.", _payload);
                         goto fail;
                     }
                     if (_payload == i->payload) {
-
+                        strncpy(c, t + 9 + len, 63);
+                        c[63] = 0;
                         c[strcspn(c, "\n")] = 0;
 
                         if (parse_sdp_sample_spec(&i->sample_spec, c))