diff options
author | Luiz Augusto von Dentz <luiz.dentz@openbossa.org> | 2008-11-13 14:38:59 -0300 |
---|---|---|
committer | Luiz Augusto von Dentz <luiz.dentz@openbossa.org> | 2008-11-13 14:53:16 -0300 |
commit | 8ab9a6d32c2e5bbb8af27b1951e74ec5539cd78e (patch) | |
tree | bc75a77e21d8f926f466fcfeb02c7fade27a8e7d /common | |
parent | de8c5c3404c932a4e35eabd3d9b14ef6e8bcf918 (diff) |
Fix possible invalid read.
The unitSize were being used as the string length when in fact it is
always one byte bigger than the length where the extra byte is allocated
for the dtd.
Diffstat (limited to 'common')
-rw-r--r-- | common/sdp-xml.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/common/sdp-xml.c b/common/sdp-xml.c index 1e1e07c3..eac88bf1 100644 --- a/common/sdp-xml.c +++ b/common/sdp-xml.c @@ -235,10 +235,10 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level, hex = 0; int num_chars_to_escape = 0; + int length = value->unitSize - 1; - for (i = 0; i < value->unitSize; i++) { - if (i == (value->unitSize - 1) - && value->val.str[i] == '\0') + for (i = 0; i < length; i++) { + if (value->val.str[i] == '\0') break; if (!isprint(value->val.str[i])) { hex = 1; @@ -281,7 +281,7 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level, strBuf = (char *) malloc(sizeof(char) * (value->unitSize + 1 + num_chars_to_escape * 4)); - for (i = 0, j = 0; i < value->unitSize; i++) { + for (i = 0, j = 0; i < length; i++) { if (value->val.str[i] == '&') { strBuf[j++] = '&'; strBuf[j++] = 'a'; |