We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
1 parent cc339ac commit 8b621f1Copy full SHA for 8b621f1
pjmedia/src/pjmedia/rtcp.c
@@ -757,8 +757,15 @@ static void parse_rtcp_bye(pjmedia_rtcp_session *sess,
757
758
/* Check and get BYE reason */
759
if (size > 8) {
760
+ /* Make sure the BYE reason does not exceed:
761
+ * - the size of the available buffer
762
+ * - the declared reason's length
763
+ * - the actual packet size
764
+ */
765
reason.slen = PJ_MIN(sizeof(sess->stat.peer_sdes_buf_),
766
*((pj_uint8_t*)pkt+8));
767
+ reason.slen = PJ_MIN(reason.slen, size-9);
768
+
769
pj_memcpy(sess->stat.peer_sdes_buf_, ((pj_uint8_t*)pkt+9),
770
reason.slen);
771
reason.ptr = sess->stat.peer_sdes_buf_;
0 commit comments