From 8ab9a6d32c2e5bbb8af27b1951e74ec5539cd78e Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.dentz@openbossa.org>
Date: Thu, 13 Nov 2008 14:38:59 -0300
Subject: Fix possible invalid read.

The unitSize were being used as the string length when in fact it is
always one byte bigger than the length where the extra byte is allocated
for the dtd.
---
 common/sdp-xml.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

(limited to 'common/sdp-xml.c')

diff --git a/common/sdp-xml.c b/common/sdp-xml.c
index 1e1e07c3..eac88bf1 100644
--- a/common/sdp-xml.c
+++ b/common/sdp-xml.c
@@ -235,10 +235,10 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
 		hex = 0;
 
 		int num_chars_to_escape = 0;
+		int length = value->unitSize - 1;
 
-		for (i = 0; i < value->unitSize; i++) {
-			if (i == (value->unitSize - 1)
-			    && value->val.str[i] == '\0')
+		for (i = 0; i < length; i++) {
+			if (value->val.str[i] == '\0')
 				break;
 			if (!isprint(value->val.str[i])) {
 				hex = 1;
@@ -281,7 +281,7 @@ static void convert_raw_data_to_xml(sdp_data_t *value, int indent_level,
 			strBuf = (char *)
 				malloc(sizeof(char) *
 				(value->unitSize + 1 + num_chars_to_escape * 4));
-			for (i = 0, j = 0; i < value->unitSize; i++) {
+			for (i = 0, j = 0; i < length; i++) {
 				if (value->val.str[i] == '&') {
 					strBuf[j++] = '&';
 					strBuf[j++] = 'a';
-- 
cgit