From bd940fb570f31c384e89cea2379e79de61bedc8c Mon Sep 17 00:00:00 2001 From: Richard Fuchs Date: Wed, 15 Dec 2021 09:27:07 -0500 Subject: [PATCH] TT#14008 call g_string_set_size before grabbing pointer closes #1412 Change-Id: I02f97aa05788401586848cb36421f65828968864 (cherry picked from commit 219982ba06007065d8c7184027ba088b06cf6630) --- daemon/rtcp.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/daemon/rtcp.c b/daemon/rtcp.c index d72e0d371..9a457f203 100644 --- a/daemon/rtcp.c +++ b/daemon/rtcp.c @@ -1402,8 +1402,8 @@ GString *rtcp_sender_report(uint32_t ssrc, uint32_t ts, uint32_t packets, uint32 for (GList *l = rrs->head; l; l = l->next) { struct ssrc_ctx *s = l->data; if (i < 30) { - struct report_block *rr = (void *) ret->str + ret->len; - g_string_set_size(ret, ret->len + sizeof(*rr)); + g_string_set_size(ret, ret->len + sizeof(struct report_block)); + struct report_block *rr = (void *) ret->str + ret->len - sizeof(struct report_block); // XXX unify with transcode_rr @@ -1439,6 +1439,7 @@ GString *rtcp_sender_report(uint32_t ssrc, uint32_t ts, uint32_t packets, uint32 i++; } + sr = (void *) ret->str; // reacquire ptr after g_string_set_size sr->rtcp.header.count = n; sr->rtcp.header.length = htons((ret->len >> 2) - 1); @@ -1456,8 +1457,8 @@ GString *rtcp_sender_report(uint32_t ssrc, uint32_t ts, uint32_t packets, uint32 assert(sizeof(*sdes) == 24); - sdes = (void *) ret->str + ret->len; g_string_set_size(ret, ret->len + sizeof(*sdes)); + sdes = (void *) ret->str + ret->len - sizeof(*sdes); *sdes = (__typeof(*sdes)) { .sdes.header.version = 2,