[Linphone-developers] variadic arguments misuse in ortp.c?

[Peter]

Hi,

while trying to use oRTP library and running the rtpsend and rtprecv 
examples I have encountered a bug while displaying statistics with 
ortp_global_stats_display().
In my opinion the bug is in _strdup_vprintf() function in ortp.c. Here 
vsnprintf() is called more than one time with the same va_list argument 
that not reinitialized. va_start cannot be called, of course, but va_copy 
can.
This function is called from ortp_log, _message, _warning and so on so the 
bug may manifest whenever a message larger then 200 chars (so a re-alloc 
is done and vsnprintf() is called again) is printed.

My system is a Linux 2.6.24-19-generic #1 SMP Fri Jul 11 21:01:46 
UTC 2008 x86_64 GNU/Linux (Ubuntu hardy, 64 bit, glibc 2.7).

The following patch solves the problem for me. va_copy is not available on 
all platforms. On some platforms __va_copy is defined, on others it simply 
isn't defined. My patch does not take that into account.

-------------------------------------------------------------------------
diff -upr ortp-0.13.1/src/ortp.c ortp-0.13.1new/src/ortp.c
--- ortp-0.13.1/src/ortp.c      2007-02-13 23:31:01.000000000 +0200
+++ ortp-0.13.1new/src/ortp.c   2008-09-12 13:10:18.000000000 +0300
@@ -174,9 +174,12 @@ static char * _strdup_vprintf(const char
                return NULL;
        while (1)
        {
+               va_list vsnprintf_args;
                /* Try to print in the allocated space. */
                //va_start(ap, fmt);
+               va_copy(vsnprintf_args, ap);
                n = vsnprintf (p, size, fmt, ap);
+               va_end(vsnprintf_args);
                //va_end(ap);
                /* If that worked, return the string. */
                if (n > -1 && n < size)
-----------------------------------------------------------------------

Regards,

Peter