On Tue, 2009-03-24 at 11:55 +0000, Bastien Nocera wrote:
> Spotted by Luiz, another invalid memory access when trying to read past
> the end of a string that's not nul-terminated.
>
> strndup to the rescue.
Never mind, previous patch was off by one. Corrected patch attached.
>From 0606404a81cc73e7a1ee90da9641a6a87c8f6f43 Mon Sep 17 00:00:00 2001
From: Bastien Nocera <hadess@xxxxxxxxxx>
Date: Tue, 24 Mar 2009 11:46:18 +0000
Subject: [PATCH] Fix invalid memory access when dealing with URLs
Just like strings attributes, URLs might not be NUL-terminated.
Make sure we don't read past the end of the allocated memory when
copying them.
---
common/sdp-xml.c | 9 ++++++++-
1 files changed, 8 insertions(+), 1 deletions(-)
diff --git a/common/sdp-xml.c b/common/sdp-xml.c
index 608de76..18473d0 100644
--- a/common/sdp-xml.c
+++ b/common/sdp-xml.c
@@ -25,6 +25,7 @@
#include <config.h>
#endif
+#define _GNU_SOURCE
#include <stdio.h>
#include <errno.h>
#include <ctype.h>
@@ -323,11 +324,17 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
case SDP_URL_STR8:
case SDP_URL_STR16:
case SDP_URL_STR32:
+ {
+ char *strBuf;
+
appender(data, indent);
appender(data, "<url value=\"");
- appender(data, value->val.str);
+ strBuf = strndup(value->val.str, value->unitSize - 1);
+ appender(data, strBuf);
+ free(strBuf);
appender(data, "\" />\n");
break;
+ }
case SDP_SEQ8:
case SDP_SEQ16:
--
1.6.0.6
