From: Tilghman Lesher <tilghman@meg.abyt.es>
Date: Tue, 2 Dec 2008 17:42:09 +0000 (+0000)
Subject: When the text does not match exactly (e.g. RTP/SAVP), then the %n conversion
X-Git-Tag: 1.4.23-rc3~3^2~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a8736b03e92869dd2f71d39e5159e9f8e1688d71;p=thirdparty%2Fasterisk.git

When the text does not match exactly (e.g. RTP/SAVP), then the %n conversion
fails, and the resulting integer is garbage.  Thus, we must initialize the
integer and check it afterwards for success.
(closes issue #14000)
 Reported by: folke
 Patches:
       asterisk-sipbg-sscanf-1.4.22.diff uploaded by folke (license 626)
       asterisk-sipbg-sscanf-1.6.0.1.diff uploaded by folke (license 626)
       asterisk-sipbg-sscanf-trunk-r159896.diff uploaded by folke (license 626)


git-svn-id: https://origsvn.digium.com/svn/asterisk/branches/1.4@160297 65c4cc65-6c06-0410-ace0-fbb531ad65f3
---

diff --git a/channels/chan_sip.c b/channels/chan_sip.c
index 0eb2336d10..a98afc3d9b 100644
--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -5185,8 +5185,9 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req)
 		int audio = FALSE;
 
 		numberofports = 1;
-		if ((sscanf(m, "audio %d/%d RTP/AVP %n", &x, &numberofports, &len) == 2) ||
-		    (sscanf(m, "audio %d RTP/AVP %n", &x, &len) == 1)) {
+		len = -1;
+		if ((sscanf(m, "audio %d/%d RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0) ||
+		    (sscanf(m, "audio %d RTP/AVP %n", &x, &len) == 1 && len > 0)) {
 			audio = TRUE;
 			numberofmediastreams++;
 			/* Found audio stream in this media definition */
@@ -5201,8 +5202,8 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req)
 					ast_verbose("Found RTP audio format %d\n", codec);
 				ast_rtp_set_m_type(newaudiortp, codec);
 			}
-		} else if ((sscanf(m, "video %d/%d RTP/AVP %n", &x, &numberofports, &len) == 2) ||
-		    (sscanf(m, "video %d RTP/AVP %n", &x, &len) == 1)) {
+		} else if ((sscanf(m, "video %d/%d RTP/AVP %n", &x, &numberofports, &len) == 2 && len > 0) ||
+		    (sscanf(m, "video %d RTP/AVP %n", &x, &len) == 1 && len >= 0)) {
 			/* If it is not audio - is it video ? */
 			ast_clear_flag(&p->flags[0], SIP_NOVIDEO);	
 			numberofmediastreams++;
@@ -5217,8 +5218,8 @@ static int process_sdp(struct sip_pvt *p, struct sip_request *req)
 					ast_verbose("Found RTP video format %d\n", codec);
 				ast_rtp_set_m_type(newvideortp, codec);
 			}
-		} else if (p->udptl && ( (sscanf(m, "image %d udptl t38%n", &x, &len) == 1) || 
-		 (sscanf(m, "image %d UDPTL t38%n", &x, &len) == 1) )) {
+		} else if (p->udptl && ( (sscanf(m, "image %d udptl t38%n", &x, &len) == 1 && len > 0) || 
+		 (sscanf(m, "image %d UDPTL t38%n", &x, &len) == 1 && len >= 0) )) {
 			if (debug)
 				ast_verbose("Got T.38 offer in SDP in dialog %s\n", p->callid);
 			udptlportno = x;