Issue 1218023003: Prevent OOB read on truncated H264 headers.

Issue 1218023003: Prevent OOB read on truncated H264 headers. (Closed)

Created:
5 years, 5 months ago by pbos-webrtc

Modified:
5 years, 5 months ago

Reviewers:
stefan-webrtc

CC:
webrtc-reviews_webrtc.org, tterriberry_mozilla.com, mflodman

Base URL:
https://chromium.googlesource.com/external/webrtc.git@master

Target Ref:
refs/pending/heads/master

Project:
webrtc

Visibility:
Public.

More Reviews

Description

Prevent OOB read on truncated H264 headers. Prevents OOB reads on truncated FU-A NAL units, StapA headers and past truncation just after StapA headers. BUG=webrtc:4771 R=stefan@webrtc.org Committed: https://crrev.com/2f1509395b56fe3175b27dc2ac76e8f749c809f7 Cr-Commit-Position: refs/heads/master@{#9522}

Patch Set 1 #

Patch Set 2 : rename test #

Patch Set 3 : use kFuAHeaderSize constant #

Total comments: 4

Patch Set 4 : additional StapANalu overflows #

Created: 5 years, 5 months ago

Download [raw] [tar.bz2]

		Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+36 lines, -4 lines)			Patch
	M	webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc	View	1 2 3	5 chunks	+18 lines, -4 lines	0 comments	Download
	M	webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc	View	1 2 3	1 chunk	+18 lines, -0 lines	0 comments	Download

Messages

Total messages: 20 (4 generated)

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1218023003/1

5 years, 5 months ago (2015-06-30 12:19:54 UTC) #3

stefan-webrtc

Feel free to do more than one fix per cl if they are in the ...

5 years, 5 months ago (2015-06-30 13:08:06 UTC) #6

pbos-webrtc

Agreed, I generally want to find them by fuzzing though, so I try to fix ...

5 years, 5 months ago (2015-06-30 13:11:34 UTC) #7

stefan-webrtc

On 2015/06/30 13:11:34, pbos-webrtc wrote: > Agreed, I generally want to find them by fuzzing ...

5 years, 5 months ago (2015-06-30 13:12:43 UTC) #8

stefan-webrtc

https://codereview.webrtc.org/1218023003/diff/40001/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc File webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc (right): https://codereview.webrtc.org/1218023003/diff/40001/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc#newcode58 webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc:58: nal_type = payload_data[kStapAHeaderSize] & kTypeMask; Is this also safe?

5 years, 5 months ago (2015-06-30 13:13:19 UTC) #9

pbos-webrtc

On 2015/06/30 13:12:43, stefan-webrtc (holmer) wrote: > On 2015/06/30 13:11:34, pbos-webrtc wrote: > > Agreed, ...

5 years, 5 months ago (2015-06-30 13:13:45 UTC) #10

pbos-webrtc

5 years, 5 months ago (2015-06-30 13:16:37 UTC) #12

commit-bot: I haz the power

Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1218023003/60001

5 years, 5 months ago (2015-06-30 13:18:34 UTC) #14

commit-bot: I haz the power

CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/1218023003/60001

5 years, 5 months ago (2015-06-30 13:20:14 UTC) #18

commit-bot: I haz the power

5 years, 5 months ago (2015-06-30 15:23:50 UTC) #20

Message was sent while issue was closed.

Patchset 4 (id:??) landed as
https://crrev.com/2f1509395b56fe3175b27dc2ac76e8f749c809f7
Cr-Commit-Position: refs/heads/master@{#9522}

Expand Messages | Collapse Messages | Show Generated Messages | Hide Generated Messages