sdp解析异常r行报文存在死循环

[Lkerenl]

复现如下：

//sdp_test.c
#include "sdp.h"
#include <unistd.h>

int main() {
    unsigned char buf[4096];
    int len = read(0,buf,4096);
    sdp_t* sdp = sdp_parse(buf, len);
    if (sdp != 0)
        sdp_destroy(sdp); 

    return 0;
}

payload：

gcc -static -I./src/media-server/librtsp/include/ ./sdp_test.c ./librtsp.a  -o sdp_test
echo -ne "t=0 0\x0ar=\x00\x0a" | ./sdp_test

[ireader]

麻烦修改sdp.cp文件759行，while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))

diff如下：

diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..4b12865 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
    r->duration = sdp->raw + sdp->offset;
    n[1] = sdp_token_word(sdp, " \t\r\n");

-   while(strchr(" \t", sdp->raw[sdp->offset]))
+   while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
    {
        if(n[2] > 0 && offset)
        {

[Lkerenl]

timezone解析的时候貌似还有个堆溢出的问题，sdp_destory的时候看到会free一个很大的块。 payload：

echo -ne "t=\x0az=0 0 0 0" | ./sdp_test

[ireader]

确实是有问题， 变量名搞错了， t->r.count -> t->z.count

diff --git "a/librtsp/source/sdp.c" "b/librtsp/source/sdp.c"
index fe7cd97..3d13c1b 100644
--- "a/librtsp/source/sdp.c"
+++ "b/librtsp/source/sdp.c"
@@ -756,7 +756,7 @@ static int sdp_parse_repeat(struct sdp_t* sdp)
    r->duration = sdp->raw + sdp->offset;
    n[1] = sdp_token_word(sdp, " \t\r\n");

-   while(strchr(" \t", sdp->raw[sdp->offset]))
+   while(sdp->raw[sdp->offset] && strchr(" \t", sdp->raw[sdp->offset]))
    {
        if(n[2] > 0 && offset)
        {
@@ -829,11 +829,11 @@ static int sdp_parse_timezone(struct sdp_t* sdp)
                t->z.capacity += 8;
            }

-           z = &t->z.ptr[t->r.count - N_TIMEZONE];
+           z = &t->z.ptr[t->z.count - N_TIMEZONE];
        }
        else
        {
-           z = &t->z.timezones[t->r.count];
+           z = &t->z.timezones[t->z.count];
        }

        z->time = time;