Misc (re #1843): Add index checking to some SDP attr operations. These operations use count parameter as index doesn't check the value which might lead to crash if the count param exceed PJMEDIA_MAX_SDP_ATTR.

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@5106 74dad513-b988-da41-8d7b-12977e46ad98
author: Riza Sulistyo <riza@teluu.com> 2015-06-12 03:03:48 +0000
committer: Riza Sulistyo <riza@teluu.com> 2015-06-12 03:03:48 +0000
commit: 12171fa04c4254fd587ae10b43c67750716a0386 (patch)
tree: dc9da7605bcc8e1fb7478b5d70aaf0fcbb071b9d /pjmedia
parent: d67c451551a7ca11096f3262befd089d0ebeb062 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
index 5451ed35..5ab7e943 100644
--- a/pjmedia/src/pjmedia/sdp.c
+++ b/pjmedia/src/pjmedia/sdp.c
@@ -144,6 +144,8 @@ PJ_DEF(pjmedia_sdp_attr*) pjmedia_sdp_attr_find (unsigned count,
     unsigned i;
     unsigned c_pt = 0xFFFF;
 
+    PJ_ASSERT_RETURN(count < PJMEDIA_MAX_SDP_ATTR, NULL);
+
     if (c_fmt)
 	c_pt = pj_strtoul(c_fmt);
 
@@ -199,6 +201,7 @@ PJ_DEF(unsigned) pjmedia_sdp_attr_remove_all(unsigned *count,
     pj_str_t attr_name;
 
     PJ_ASSERT_RETURN(count && attr_array && name, PJ_EINVAL);
+    PJ_ASSERT_RETURN(*count < PJMEDIA_MAX_SDP_ATTR, PJ_ETOOMANY);
 
     attr_name.ptr = (char*)name;
     attr_name.slen = pj_ansi_strlen(name);
@@ -225,6 +228,7 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_remove( unsigned *count,
     unsigned i, removed=0;
 
     PJ_ASSERT_RETURN(count && attr_array && attr, PJ_EINVAL);
+    PJ_ASSERT_RETURN(*count < PJMEDIA_MAX_SDP_ATTR, PJ_ETOOMANY);
 
     for (i=0; i<*count; ) {
 	if (attr_array[i] == attr) {
author	Riza Sulistyo <riza@teluu.com>	2015-06-12 03:03:48 +0000
committer	Riza Sulistyo <riza@teluu.com>	2015-06-12 03:03:48 +0000
commit	12171fa04c4254fd587ae10b43c67750716a0386 (patch)
tree	dc9da7605bcc8e1fb7478b5d70aaf0fcbb071b9d /pjmedia
parent	d67c451551a7ca11096f3262befd089d0ebeb062 (diff)