From 0f27847ff8ab48d06d5abd6e5bf35e315cf16457 Mon Sep 17 00:00:00 2001
From: Szymon Janc <szymon.janc@tieto.com>
Date: Mon, 9 May 2011 16:19:32 +0200
Subject: [PATCH] Fix potential NULL pointer dereference in sdp_get_lang_attr

---
 lib/sdp.c | 41 +++++++++++++++++++++++++----------------
 1 file changed, 25 insertions(+), 16 deletions(-)

diff --git a/lib/sdp.c b/lib/sdp.c
index dd6a62a56..ba47d202e 100644
--- a/lib/sdp.c
+++ b/lib/sdp.c
@@ -2021,25 +2021,34 @@ int sdp_get_lang_attr(const sdp_record_t *rec, sdp_list_t **langSeq)
 	curr_data = sdpdata->val.dataseq;
 	while (curr_data) {
 		sdp_data_t *pCode = curr_data;
-		sdp_data_t *pEncoding = pCode->next;
-		sdp_data_t *pOffset = pEncoding->next;
-		if (pEncoding && pOffset) {
-			lang = malloc(sizeof(sdp_lang_attr_t));
-			if (!lang) {
-				sdp_list_free(*langSeq, free);
-				*langSeq = NULL;
-				return -1;
-			}
-			lang->code_ISO639 = pCode->val.uint16;
-			lang->encoding = pEncoding->val.uint16;
-			lang->base_offset = pOffset->val.uint16;
-			SDPDBG("code_ISO639 :  0x%02x\n", lang->code_ISO639);
-			SDPDBG("encoding :     0x%02x\n", lang->encoding);
-			SDPDBG("base_offfset : 0x%02x\n", lang->base_offset);
-			*langSeq = sdp_list_append(*langSeq, lang);
+		sdp_data_t *pEncoding;
+		sdp_data_t *pOffset;
+
+		pEncoding = pCode->next;
+		if (!pEncoding)
+			break;
+
+		pOffset = pEncoding->next;
+		if (!pOffset)
+			break;
+
+		lang = malloc(sizeof(sdp_lang_attr_t));
+		if (!lang) {
+			sdp_list_free(*langSeq, free);
+			*langSeq = NULL;
+			return -1;
 		}
+		lang->code_ISO639 = pCode->val.uint16;
+		lang->encoding = pEncoding->val.uint16;
+		lang->base_offset = pOffset->val.uint16;
+		SDPDBG("code_ISO639 :  0x%02x\n", lang->code_ISO639);
+		SDPDBG("encoding :     0x%02x\n", lang->encoding);
+		SDPDBG("base_offfset : 0x%02x\n", lang->base_offset);
+		*langSeq = sdp_list_append(*langSeq, lang);
+
 		curr_data = pOffset->next;
 	}
+
 	return 0;
 }
 
-- 
2.47.3