diff options
author | Luiz Augusto von Dentz <luiz.von.dentz@intel.com> | 2013-05-23 12:01:12 -0700 |
---|---|---|
committer | Johan Hedberg <johan.hedberg@intel.com> | 2013-05-23 14:57:09 -0700 |
commit | 7913d91635cf2aa0c74f039a4a43a0805568aa8a (patch) | |
tree | 00585e52be897618e6d3a23134102305fb50e69e | |
parent | 5316ed07d5640fa7d32a09b1739006c8b029f043 (diff) | |
download | bluez-7913d91635cf2aa0c74f039a4a43a0805568aa8a.tar.gz |
lib: Fix sdp_seq_alloc_with_length accessing invalid index/memory
The sequence itself is not an index of dtds, values, lengths, thats why
SDP_SEQ8 is used directly as dtd, so accessing length[i] is always off
by one.
Furthermore the length is not really used by sdp_data_alloc_with_length
when the dtd is SDP_SEQ8 which is probably why it doesn't crash.
-rw-r--r-- | lib/sdp.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -535,7 +535,7 @@ sdp_data_t *sdp_seq_alloc_with_length(void **dtds, void **values, int *length, curr = data; } - return sdp_data_alloc_with_length(SDP_SEQ8, seq, length[i]); + return sdp_data_alloc(SDP_SEQ8, seq); } sdp_data_t *sdp_seq_alloc(void **dtds, void **values, int len) |