Prevent OOB read on truncated H264 headers.

webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc

 /*
  *  Copyright (c) 2014 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 22 matching lines @@
 static const size_t kFuAHeaderSize = 2;
 static const size_t kLengthFieldSize = 2;
 static const size_t kStapAHeaderSize = kNalHeaderSize + kLengthFieldSize;
 
 // Bit masks for FU (A and B) indicators.
 enum NalDefs { kFBit = 0x80, kNriMask = 0x60, kTypeMask = 0x1F };
 
 // Bit masks for FU (A and B) headers.
 enum FuDefs { kSBit = 0x80, kEBit = 0x40, kRBit = 0x20 };
 
-void ParseSingleNalu(RtpDepacketizer::ParsedPayload* parsed_payload,
+bool ParseSingleNalu(RtpDepacketizer::ParsedPayload* parsed_payload,
                      const uint8_t* payload_data,
                      size_t payload_data_length) {
   parsed_payload->type.Video.width = 0;
   parsed_payload->type.Video.height = 0;
   parsed_payload->type.Video.codec = kRtpVideoH264;
   parsed_payload->type.Video.isFirstPacket = true;
   RTPVideoHeaderH264* h264_header =
       &parsed_payload->type.Video.codecHeader.H264;
 
   const uint8_t* nalu_start = payload_data + kNalHeaderSize;
   size_t nalu_length = payload_data_length - kNalHeaderSize;
   uint8_t nal_type = payload_data[0] & kTypeMask;
   if (nal_type == kStapA) {
     // Skip the StapA header (StapA nal type + length).
+    if (payload_data_length <= kStapAHeaderSize) {
+      LOG(LS_ERROR) << "StapA header truncated.";
+      return false;
+    }
     nal_type = payload_data[kStapAHeaderSize] & kTypeMask;
     nalu_start += kStapAHeaderSize;
     nalu_length -= kStapAHeaderSize;
     h264_header->packetization_type = kH264StapA;
   } else {
     h264_header->packetization_type = kH264SingleNalu;
   }
   h264_header->nalu_type = nal_type;
 
   // We can read resolution out of sps packets.
   if (nal_type == kSps) {
     H264SpsParser parser(nalu_start, nalu_length);
     if (parser.Parse()) {
       parsed_payload->type.Video.width = parser.width();
       parsed_payload->type.Video.height = parser.height();
     }
   }
   switch (nal_type) {
     case kSps:
     case kPps:
     case kIdr:
       parsed_payload->frame_type = kVideoFrameKey;
       break;
     default:
       parsed_payload->frame_type = kVideoFrameDelta;
       break;
   }
+  return true;
 }
 
-void ParseFuaNalu(RtpDepacketizer::ParsedPayload* parsed_payload,
+bool ParseFuaNalu(RtpDepacketizer::ParsedPayload* parsed_payload,
                   const uint8_t* payload_data,
                   size_t payload_data_length,
                   size_t* offset) {
+  if (payload_data_length < kFuAHeaderSize) {
+    LOG(LS_ERROR) << "FU-A NAL units truncated.";
+    return false;
+  }
   uint8_t fnri = payload_data[0] & (kFBit | kNriMask);
   uint8_t original_nal_type = payload_data[1] & kTypeMask;
   bool first_fragment = (payload_data[1] & kSBit) > 0;
 
   uint8_t original_nal_header = fnri | original_nal_type;
   if (first_fragment) {
     *offset = kNalHeaderSize;
     uint8_t* payload = const_cast<uint8_t*>(payload_data + *offset);
     payload[0] = original_nal_header;
   } else {
     *offset = kFuAHeaderSize;
   }
 
   if (original_nal_type == kIdr) {
     parsed_payload->frame_type = kVideoFrameKey;
   } else {
     parsed_payload->frame_type = kVideoFrameDelta;
   }
   parsed_payload->type.Video.width = 0;
   parsed_payload->type.Video.height = 0;
   parsed_payload->type.Video.codec = kRtpVideoH264;
   parsed_payload->type.Video.isFirstPacket = first_fragment;
   RTPVideoHeaderH264* h264_header =
       &parsed_payload->type.Video.codecHeader.H264;
   h264_header->packetization_type = kH264FuA;
   h264_header->nalu_type = original_nal_type;
+  return true;
 }
 }  // namespace
 
 RtpPacketizerH264::RtpPacketizerH264(FrameType frame_type,
                                      size_t max_payload_len)
     : payload_data_(NULL),
       payload_size_(0),
       max_payload_len_(max_payload_len),
       frame_type_(frame_type) {
 }
@@ skipping 192 matching lines @@
   assert(parsed_payload != NULL);
   if (payload_data_length == 0) {
     LOG(LS_ERROR) << "Empty payload.";
     return false;
   }
 
   uint8_t nal_type = payload_data[0] & kTypeMask;
   size_t offset = 0;
   if (nal_type == kFuA) {
     // Fragmented NAL units (FU-A).
-    ParseFuaNalu(parsed_payload, payload_data, payload_data_length, &offset);
+    if (!ParseFuaNalu(
+            parsed_payload, payload_data, payload_data_length, &offset)) {
+      return false;
+    }
   } else {
     // We handle STAP-A and single NALU's the same way here. The jitter buffer
     // will depacketize the STAP-A into NAL units later.
-    ParseSingleNalu(parsed_payload, payload_data, payload_data_length);
+    if (!ParseSingleNalu(parsed_payload, payload_data, payload_data_length))
+      return false;
   }
 
   parsed_payload->payload = payload_data + offset;
   parsed_payload->payload_length = payload_data_length - offset;
   return true;
 }
 }  // namespace webrtc