Fixed bug in SDP rtpmap parsing that caused SDP failed to parse the rtpmap attribute (because input is not null terminated)
git-svn-id: https://svn.pjsip.org/repos/pjproject/trunk@572 74dad513-b988-da41-8d7b-12977e46ad98
diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
index 57e8987..09e5217 100644
--- a/pjmedia/src/pjmedia/sdp.c
+++ b/pjmedia/src/pjmedia/sdp.c
@@ -101,7 +101,7 @@
pj_strdup2(pool, &attr->name, name);
if (value)
- pj_strdup(pool, &attr->value, value);
+ pj_strdup_with_null(pool, &attr->value, value);
else {
attr->value.ptr = NULL;
attr->value.slen = 0;
@@ -120,7 +120,7 @@
attr = pj_pool_alloc(pool, sizeof(pjmedia_sdp_attr));
pj_strdup(pool, &attr->name, &rhs->name);
- pj_strdup(pool, &attr->value, &rhs->value);
+ pj_strdup_with_null(pool, &attr->value, &rhs->value);
return attr;
}
@@ -249,10 +249,27 @@
pj_scanner scanner;
pj_str_t token;
pj_status_t status = -1;
+ char term = 0;
PJ_USE_EXCEPTION;
PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtpmap")==0, PJ_EINVALIDOP);
+ PJ_ASSERT_RETURN(attr->value.slen != 0, PJMEDIA_SDP_EINATTR);
+
+ /* Check if input is null terminated, and null terminate if
+ * necessary. Unfortunately this may crash the application if
+ * attribute was allocated from a read-only memory location.
+ * But this shouldn't happen as attribute's value normally is
+ * null terminated.
+ */
+ if (attr->value.ptr[attr->value.slen] != 0 &&
+ attr->value.ptr[attr->value.slen] != '\r')
+ {
+ pj_assert(!"Shouldn't happen");
+ term = attr->value.ptr[attr->value.slen];
+ attr->value.ptr[attr->value.slen] = '\0';
+ }
+
pj_scan_init(&scanner, (char*)attr->value.ptr, attr->value.slen,
PJ_SCAN_AUTOSKIP_WS, &on_scanner_error);
@@ -310,6 +327,9 @@
on_return:
pj_scan_fini(&scanner);
+ if (term) {
+ attr->value.ptr[attr->value.slen] = term;
+ }
return status;
}