On Thu, Mar 11, 2010 at 8:43 AM, Jeremy Noring <span dir="ltr"><<a href="mailto:jnoring@logitech.com">jnoring@logitech.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
In RTCP.cpp,<br><br>SDESItem::SDESItem(unsigned char tag, unsigned char const* value) {<br> unsigned length = strlen((char const*)value);<br> if (length > 511) length = 511;<br><br> fData[0] = tag;<br> fData[1] = (unsigned char)length;<br>
memmove(&fData[2], value, length);<br><br> // Pad the trailing bytes to a 4-byte boundary:<br> while ((length)%4 > 0) fData[2 + length++] = '\0';<br>}<br><br>length is 511 bytes, and the additional padding at the end tacks on up to 3 more bytes. However, the buffer to which memory is being written to in RTCP.hh is declared as:<br>
<br>unsigned char fData[2 + 0xFF]; // first 2 bytes are tag and length<br><br>...which is only 257 bytes. It needs to be at least 515 bytes in length (511+ 2 is 513; padded to before the nearest 4 byte boundary bumps that up to 515). So that line should change to:<br>
<br>unsigned char fData[2 + 513]; // first 2 bytes are tag and length<br><br>Either that, or the upper bound on "length" in the constructor needs to be shortened. (to work with 2 + 0xFF, length would need to be no greater than 251)<br>
<br>Thanks,<br><font color="#888888"><br>Jeremy<br></font></blockquote><div><br>Actually, on second glance, the only realistic option is to shorten length, because only a single byte is allotted to the size field in fData[1]. (note that length is cast to unsigned char). So in RTCP.cpp, I'd change this line:<br>
<br>if (length > 251) length = 251;<br><br>-Jeremy<br> </div></div><br>