Prevent out-of-bounds reads for short FEC packets.

webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc

 /*
  *  Copyright (c) 2012 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 63 matching lines @@
 //    block length:  10 bits Length in bytes of the corresponding data
 //        block excluding header.
 
 int32_t FecReceiverImpl::AddReceivedRedPacket(
     const RTPHeader& header, const uint8_t* incoming_rtp_packet,
     size_t packet_length, uint8_t ulpfec_payload_type) {
   CriticalSectionScoped cs(crit_sect_.get());
   uint8_t REDHeaderLength = 1;
   size_t payload_data_length = packet_length - header.headerLength;
 
+  if (payload_data_length == 0) {
+    LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+    return -1;
+  }
+
   // Add to list without RED header, aka a virtual RTP packet
   // we remove the RED header
 
   ForwardErrorCorrection::ReceivedPacket* received_packet =

[stefan-webrtc, 2015/06/29 13:19:50]

Can you switch this to a scoped_ptr?

[pbos-webrtc, 2015/06/29 13:30:07]

Done.

       new ForwardErrorCorrection::ReceivedPacket;
   received_packet->pkt = new ForwardErrorCorrection::Packet;

[stefan-webrtc, 2015/06/29 13:19:50]

Doesn't this require deletion at line 109, 123 and 136?

[pbos-webrtc, 2015/06/29 13:30:08]

No, deleted in ~ReceivedPacket.

 
   // get payload type from RED header
   uint8_t payload_type =
       incoming_rtp_packet[header.headerLength] & 0x7f;
 
   received_packet->is_fec = payload_type == ulpfec_payload_type;
   received_packet->seq_num = header.sequenceNumber;
 
   uint16_t blockLength = 0;
   if (incoming_rtp_packet[header.headerLength] & 0x80) {
     // f bit set in RED header
     REDHeaderLength = 4;
+    if (payload_data_length < REDHeaderLength) {
+      LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+      delete received_packet;
+      return -1;
+    }
+
     uint16_t timestamp_offset =
         (incoming_rtp_packet[header.headerLength + 1]) << 8;
     timestamp_offset +=
         incoming_rtp_packet[header.headerLength + 2];
     timestamp_offset = timestamp_offset >> 2;
     if (timestamp_offset != 0) {
-      // |timestampOffset| should be 0. However, it's possible this is the first
-      // location a corrupt payload can be caught, so don't assert.
       LOG(LS_WARNING) << "Corrupt payload found.";
       delete received_packet;
       return -1;
     }
 
     blockLength =
         (0x03 & incoming_rtp_packet[header.headerLength + 2]) << 8;
     blockLength += (incoming_rtp_packet[header.headerLength + 3]);
 
     // check next RED header
     if (incoming_rtp_packet[header.headerLength + 4] & 0x80) {
-      // more than 2 blocks in packet not supported
+      LOG(LS_WARNING) << "More than 2 blocks in packet not supported.";
       delete received_packet;
-      assert(false);
       return -1;
     }
     if (blockLength > payload_data_length - REDHeaderLength) {
-      // block length longer than packet
+      LOG(LS_WARNING) << "Block length longer than packet.";
       delete received_packet;
-      assert(false);
       return -1;
     }
   }
   ++packet_counter_.num_packets;
 
   ForwardErrorCorrection::ReceivedPacket* second_received_packet = NULL;
   if (blockLength > 0) {
     // handle block length, split into 2 packets
     REDHeaderLength = 5;
 
@@ skipping 108 matching lines @@
       return -1;
     }
     crit_sect_->Enter();
     (*it)->returned = true;
   }
   crit_sect_->Leave();
   return 0;
 }
 
 }  // namespace webrtc