summaryrefslogtreecommitdiffstats
path: root/common
diff options
context:
space:
mode:
authorLuiz Augusto von Dentz <luiz.dentz@openbossa.org>2008-11-13 14:38:59 -0300
committerLuiz Augusto von Dentz <luiz.dentz@openbossa.org>2008-11-13 14:53:16 -0300
commit8ab9a6d32c2e5bbb8af27b1951e74ec5539cd78e (patch)
treebc75a77e21d8f926f466fcfeb02c7fade27a8e7d /common
parentde8c5c3404c932a4e35eabd3d9b14ef6e8bcf918 (diff)
Fix possible invalid read.
The unitSize were being used as the string length when in fact it is always one byte bigger than the length where the extra byte is allocated for the dtd.
Diffstat (limited to 'common')
-rw-r--r--common/sdp-xml.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/common/sdp-xml.c b/common/sdp-xml.c
index 1e1e07c3..eac88bf1 100644
--- a/common/sdp-xml.c
+++ b/common/sdp-xml.c
@@ -235,10 +235,10 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
hex = 0;
int num_chars_to_escape = 0;
+ int length = value->unitSize - 1;
- for (i = 0; i < value->unitSize; i++) {
- if (i == (value->unitSize - 1)
- && value->val.str[i] == '\0')
+ for (i = 0; i < length; i++) {
+ if (value->val.str[i] == '\0')
break;
if (!isprint(value->val.str[i])) {
hex = 1;
@@ -281,7 +281,7 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
strBuf = (char *)
malloc(sizeof(char) *
(value->unitSize + 1 + num_chars_to_escape * 4));
- for (i = 0, j = 0; i < value->unitSize; i++) {
+ for (i = 0, j = 0; i < length; i++) {
if (value->val.str[i] == '&') {
strBuf[j++] = '&';
strBuf[j++] = 'a';