Closed Lkerenl closed 4 months ago
麻烦修改sdp.cp文件759行,while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
diff如下:
diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..4b12865 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
r->duration = sdp->raw + sdp->offset;
n[1] = sdp_token_word(sdp, " \t\r\n");
- while(strchr(" \t", sdp->raw[sdp->offset]))
+ while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
{
if(n[2] > 0 && offset)
{
timezone解析的时候貌似还有个堆溢出的问题,sdp_destory的时候看到会free一个很大的块。 payload:
echo -ne "t=\x0az=0 0 0 0" | ./sdp_test
确实是有问题, 变量名搞错了, t->r.count -> t->z.count
diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..3d13c1b 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
r->duration = sdp->raw + sdp->offset;
n[1] = sdp_token_word(sdp, " \t\r\n");
- while(strchr(" \t", sdp->raw[sdp->offset]))
+ while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
{
if(n[2] > 0 && offset)
{
@@ -829,11 +829,11 @@ static int sdp_parse_timezone(struct sdp_t* sdp)
t->z.capacity += 8;
}
- z = &t->z.ptr[t->r.count - N_TIMEZONE];
+ z = &t->z.ptr[t->z.count - N_TIMEZONE];
}
else
{
- z = &t->z.timezones[t->r.count];
+ z = &t->z.timezones[t->z.count];
}
z->time = time;
复现如下:
payload: