In rtp.c:
if (sscanf(t+9, "%i %64c", &_payload, c) == 2)
the string c seems to be non-null terminated. It is later used as
following:
c[strcspn(c, "\n")] = 0;
The same piece of code is responsible for the inability of pulseaudio
on OpenWRT to handle RTP stream at the rate 48000 from another
machine:
[pulseaudio] sdp.c: Failed to parse SDP data: missing data.
It turns out that uClibc does not agree with glibc about "%64c", see
http://git.uclibc.org/uClibc/tree/docs/Glibc_vs_uClibc_Differences.txt
BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=92568
if (i->payload <= 127) {
char c[64];
int _payload;
+ int len;
- if (sscanf(t+9, "%i %64c", &_payload, c) == 2) {
-
+ if (sscanf(t + 9, "%i %n", &_payload, &len) == 1) {
if (_payload < 0 || _payload > 127) {
pa_log("Failed to parse SDP data: invalid payload %i.", _payload);
goto fail;
}
if (_payload == i->payload) {
-
+ strncpy(c, t + 9 + len, 63);
+ c[63] = 0;
c[strcspn(c, "\n")] = 0;
if (parse_sdp_sample_spec(&i->sample_spec, c))