From 7913d91635cf2aa0c74f039a4a43a0805568aa8a Mon Sep 17 00:00:00 2001
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Date: Thu, 23 May 2013 12:01:12 -0700
Subject: lib: Fix sdp_seq_alloc_with_length accessing invalid index/memory

The sequence itself is not an index of dtds, values, lengths, thats why
SDP_SEQ8 is used directly as dtd, so accessing length[i] is always off
by one.

Furthermore the length is not really used by sdp_data_alloc_with_length
when the dtd is SDP_SEQ8 which is probably why it doesn't crash.
---
 lib/sdp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/sdp.c b/lib/sdp.c
index cc685b461..7f8f92b60 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -535,7 +535,7 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length,
 		curr = data;
 	}
 
-	return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]);
+	return sdp_data_alloc(SDP_SEQ8, seq);
 }
 
 sdp_data_t *sdp_seq_alloc(void **dtds, void **values, int len)
-- 
cgit v1.2.3