Fix possible invalid read.

The unitSize were being used as the string length when in fact it is always one byte bigger than the length where the extra byte is allocated for the dtd.
author: Luiz Augusto von Dentz <luiz.dentz@openbossa.org> 2008-11-13 14:38:59 -0300
committer: Luiz Augusto von Dentz <luiz.dentz@openbossa.org> 2008-11-13 14:53:16 -0300
commit: 8ab9a6d32c2e5bbb8af27b1951e74ec5539cd78e (patch)
tree: bc75a77e21d8f926f466fcfeb02c7fade27a8e7d /common
parent: de8c5c3404c932a4e35eabd3d9b14ef6e8bcf918 (diff)
1 files changed, 4 insertions, 4 deletions
diff --git a/common/sdp-xml.c b/common/sdp-xml.c
index 1e1e07c3..eac88bf1 100644
--- a/common/sdp-xml.c
+++ b/common/sdp-xml.c
@@ -235,10 +235,10 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
 		hex = 0;
 
 		int num_chars_to_escape = 0;
+		int length = value->unitSize - 1;
 
-		for (i = 0; i < value->unitSize; i++) {
-			if (i == (value->unitSize - 1)
-			    && value->val.str[i] == '\0')
+		for (i = 0; i < length; i++) {
+			if (value->val.str[i] == '\0')
 				break;
 			if (!isprint(value->val.str[i])) {
 				hex = 1;
@@ -281,7 +281,7 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
 			strBuf = (char *)
 				malloc(sizeof(char) *
 				(value->unitSize + 1 + num_chars_to_escape * 4));
-			for (i = 0, j = 0; i < value->unitSize; i++) {
+			for (i = 0, j = 0; i < length; i++) {
 				if (value->val.str[i] == '&') {
 					strBuf[j++] = '&';
 					strBuf[j++] = 'a';
author	Luiz Augusto von Dentz <luiz.dentz@openbossa.org>	2008-11-13 14:38:59 -0300
committer	Luiz Augusto von Dentz <luiz.dentz@openbossa.org>	2008-11-13 14:53:16 -0300
commit	8ab9a6d32c2e5bbb8af27b1951e74ec5539cd78e (patch)
tree	bc75a77e21d8f926f466fcfeb02c7fade27a8e7d /common
parent	de8c5c3404c932a4e35eabd3d9b14ef6e8bcf918 (diff)