From ddd1da862bcdb019a518991245c1deed6d18c1ab Mon Sep 17 00:00:00 2001
From: Benny Prijono <bennylp@teluu.com>
Date: Sun, 2 Jul 2006 13:36:50 +0000
Subject: Fixed bug in SDP rtpmap parsing that caused SDP failed to parse the
 rtpmap attribute (because input is not null terminated)

git-svn-id: http://svn.pjsip.org/repos/pjproject/trunk@572 74dad513-b988-da41-8d7b-12977e46ad98
---
 pjmedia/src/pjmedia/sdp.c | 24 ++++++++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/pjmedia/src/pjmedia/sdp.c b/pjmedia/src/pjmedia/sdp.c
index 57e89874..09e5217f 100644
--- a/pjmedia/src/pjmedia/sdp.c
+++ b/pjmedia/src/pjmedia/sdp.c
@@ -101,7 +101,7 @@ PJ_DEF(pjmedia_sdp_attr*) pjmedia_sdp_attr_create( pj_pool_t *pool,
     pj_strdup2(pool, &attr->name, name);
 
     if (value)
-	pj_strdup(pool, &attr->value, value);
+	pj_strdup_with_null(pool, &attr->value, value);
     else {
 	attr->value.ptr = NULL;
 	attr->value.slen = 0;
@@ -120,7 +120,7 @@ PJ_DEF(pjmedia_sdp_attr*) pjmedia_sdp_attr_clone(pj_pool_t *pool,
     attr = pj_pool_alloc(pool, sizeof(pjmedia_sdp_attr));
 
     pj_strdup(pool, &attr->name, &rhs->name);
-    pj_strdup(pool, &attr->value, &rhs->value);
+    pj_strdup_with_null(pool, &attr->value, &rhs->value);
 
     return attr;
 }
@@ -249,10 +249,27 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtpmap( const pjmedia_sdp_attr *attr,
     pj_scanner scanner;
     pj_str_t token;
     pj_status_t status = -1;
+    char term = 0;
     PJ_USE_EXCEPTION;
 
     PJ_ASSERT_RETURN(pj_strcmp2(&attr->name, "rtpmap")==0, PJ_EINVALIDOP);
 
+    PJ_ASSERT_RETURN(attr->value.slen != 0, PJMEDIA_SDP_EINATTR);
+
+    /* Check if input is null terminated, and null terminate if
+     * necessary. Unfortunately this may crash the application if
+     * attribute was allocated from a read-only memory location.
+     * But this shouldn't happen as attribute's value normally is
+     * null terminated.
+     */
+    if (attr->value.ptr[attr->value.slen] != 0 &&
+	attr->value.ptr[attr->value.slen] != '\r')
+    {
+	pj_assert(!"Shouldn't happen");
+	term = attr->value.ptr[attr->value.slen];
+	attr->value.ptr[attr->value.slen] = '\0';
+    }
+
     pj_scan_init(&scanner, (char*)attr->value.ptr, attr->value.slen,
 		 PJ_SCAN_AUTOSKIP_WS, &on_scanner_error);
 
@@ -310,6 +327,9 @@ PJ_DEF(pj_status_t) pjmedia_sdp_attr_get_rtpmap( const pjmedia_sdp_attr *attr,
 
 on_return:
     pj_scan_fini(&scanner);
+    if (term) {
+	attr->value.ptr[attr->value.slen] = term;
+    }
     return status;
 }
 
-- 
cgit v1.2.3