Prevent heap overflows for incorrect FEC packet lengths.

webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc

Index: webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
diff --git a/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc b/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
index e67ec4e53bf34d32462de12ea94bed9caaeb565c..f8c01b7cd8bb1de361b198c8159b3e2a15bd9a43 100644
--- a/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
+++ b/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
@@ -18,6 +18,7 @@
 #include "webrtc/modules/rtp_rtcp/interface/fec_receiver.h"
 #include "webrtc/modules/rtp_rtcp/interface/rtp_header_parser.h"
 #include "webrtc/modules/rtp_rtcp/mocks/mock_rtp_rtcp.h"
+#include "webrtc/modules/rtp_rtcp/source/byte_io.h"
 #include "webrtc/modules/rtp_rtcp/source/fec_test_helper.h"
 #include "webrtc/modules/rtp_rtcp/source/forward_error_correction.h"
 
@@ -82,6 +83,7 @@ class ReceiverFecTest : public ::testing::Test {
     delete red_packet;
   }
 
+  void InjectGarbagePacketLength(size_t fec_garbage_offset);
   static void SurvivesMaliciousPacket(const uint8_t* data,
                                       size_t length,
                                       uint8_t ulpfec_payload_type);
@@ -109,8 +111,7 @@ TEST_F(ReceiverFecTest, TwoMediaOneFec) {
 
   // Recovery
   std::list<RtpPacket*>::iterator it = media_rtp_packets.begin();
-  std::list<RtpPacket*>::iterator media_it = media_rtp_packets.begin();
-  BuildAndAddRedMediaPacket(*media_it);
+  BuildAndAddRedMediaPacket(*it);
   VerifyReconstructedMediaPacket(*it, 1);
   EXPECT_EQ(0, receiver_fec_->ProcessReceivedFec());
   // Drop one media packet.
@@ -128,6 +129,46 @@ TEST_F(ReceiverFecTest, TwoMediaOneFec) {
   DeletePackets(&media_packets);
 }
 
+void ReceiverFecTest::InjectGarbagePacketLength(size_t fec_garbage_offset) {
+  EXPECT_CALL(rtp_data_callback_, OnRecoveredPacket(_, _))
+      .WillRepeatedly(Return(true));
+
+  const unsigned int kNumFecPackets = 1u;
+  std::list<RtpPacket*> media_rtp_packets;
+  std::list<Packet*> media_packets;
+  GenerateFrame(2, 0, &media_rtp_packets, &media_packets);
+  std::list<Packet*> fec_packets;
+  GenerateFEC(&media_packets, &fec_packets, kNumFecPackets);
+  ByteWriter<uint16_t>::WriteBigEndian(
+      &fec_packets.front()->data[fec_garbage_offset], 0x4711);
+
+  // Recovery
+  std::list<RtpPacket*>::iterator it = media_rtp_packets.begin();
+  BuildAndAddRedMediaPacket(*it);

[stefan-webrtc, 2015/07/02 09:31:25]

This doesn't really do any recovery, right? Can you move line 149 up here?

[pbos-webrtc, 2015/07/02 13:54:55]

Don't even think I should be running it (line 149), updated this segment along
with comment, PTAL.

+
+  EXPECT_EQ(0, receiver_fec_->ProcessReceivedFec());
+  // Drop one media packet.
+  std::list<Packet*>::iterator fec_it = fec_packets.begin();
+  BuildAndAddRedFecPacket(*fec_it);
+  ++it;
+  EXPECT_EQ(0, receiver_fec_->ProcessReceivedFec());
+
+  FecPacketCounter counter = receiver_fec_->GetPacketCounter();
+  EXPECT_EQ(2u, counter.num_packets);
+  EXPECT_EQ(1u, counter.num_fec_packets);
+  EXPECT_EQ(0u, counter.num_recovered_packets);
+
+  DeletePackets(&media_packets);
+}
+
+TEST_F(ReceiverFecTest, InjectGarbageRecoveredPacketLength) {
+  InjectGarbagePacketLength(8);
+}
+
+TEST_F(ReceiverFecTest, InjectGarbagePacketLength) {
+  InjectGarbagePacketLength(10);

[stefan-webrtc, 2015/07/02 09:31:26]

Can you comment on why those offsets are interesting?

[pbos-webrtc, 2015/07/02 13:54:55]

Done, also updated test names to reflect this.

+}
+
 TEST_F(ReceiverFecTest, TwoMediaTwoFec) {
   const unsigned int kNumFecPackets = 2u;
   std::list<RtpPacket*> media_rtp_packets;