From 0981ec5b15e1782de99126acf25211c96bc2cc99 Mon Sep 17 00:00:00 2001
From: =?utf8?q?R=C3=A9mi=20Denis-Courmont?= <rem@videolan.org>
Date: Thu, 4 Aug 2005 17:03:42 +0000
Subject: [PATCH] Fix heap buffer overflow

---
 src/stream_output/sap.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/stream_output/sap.c b/src/stream_output/sap.c
index fa119e58df..bebbb167ce 100644
--- a/src/stream_output/sap.c
+++ b/src/stream_output/sap.c
@@ -612,18 +612,17 @@ static char *SDPGenerate( sap_handler_t *p_sap,
                             "c=IN IP%c %s/%d\r\n"
                             "m=video %d udp %d\r\n"
                             "a=tool:"PACKAGE_STRING"\r\n"
-                            "a=type:broadcast\r\n",
+                            "a=type:broadcast\r\n"
+                            "%s%s%s",
                             i_sdp_id, i_sdp_version,
                             ipv, p_addr->psz_machine,
                             psz_name, ipv,
                             psz_uri, p_session->i_ttl,
-                            p_session->i_port, p_session->i_payload ) == -1 )
+                            p_session->i_port, p_session->i_payload,
+                            psz_group ? "a=x-plgroup:" : "",
+                            psz_group ?: "", psz_group ? "\r\n" : "" ) == -1 )
         return NULL;
     
-    if( psz_group )
-        /* FIXME: this is illegal use of sprintf */
-        sprintf( psz_sdp, "%sa=x-plgroup:%s\r\n", psz_sdp, psz_group );
-
     msg_Dbg( p_sap, "Generated SDP (%i bytes):\n%s", strlen(psz_sdp),
              psz_sdp );
     return psz_sdp;
-- 
2.39.2