Prevent out-of-bounds reads for short FEC packets.

webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc

 /*
  *  Copyright (c) 2012 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 63 matching lines @@
 //    block length:  10 bits Length in bytes of the corresponding data
 //        block excluding header.
 
 int32_t FecReceiverImpl::AddReceivedRedPacket(
     const RTPHeader& header, const uint8_t* incoming_rtp_packet,
     size_t packet_length, uint8_t ulpfec_payload_type) {
   CriticalSectionScoped cs(crit_sect_.get());
   uint8_t REDHeaderLength = 1;
   size_t payload_data_length = packet_length - header.headerLength;
 
+  if (payload_data_length == 0) {
+    LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+    return -1;
+  }
+
   // Add to list without RED header, aka a virtual RTP packet
   // we remove the RED header
 
-  ForwardErrorCorrection::ReceivedPacket* received_packet =
-      new ForwardErrorCorrection::ReceivedPacket;
+  rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket> received_packet(
+      new ForwardErrorCorrection::ReceivedPacket);
   received_packet->pkt = new ForwardErrorCorrection::Packet;
 
   // get payload type from RED header
   uint8_t payload_type =
       incoming_rtp_packet[header.headerLength] & 0x7f;
 
   received_packet->is_fec = payload_type == ulpfec_payload_type;
   received_packet->seq_num = header.sequenceNumber;
 
   uint16_t blockLength = 0;
   if (incoming_rtp_packet[header.headerLength] & 0x80) {
     // f bit set in RED header
     REDHeaderLength = 4;
+    if (payload_data_length < REDHeaderLength) {
+      LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+      return -1;
+    }
+
     uint16_t timestamp_offset =
         (incoming_rtp_packet[header.headerLength + 1]) << 8;
     timestamp_offset +=
         incoming_rtp_packet[header.headerLength + 2];
     timestamp_offset = timestamp_offset >> 2;
     if (timestamp_offset != 0) {
-      // |timestampOffset| should be 0. However, it's possible this is the first
-      // location a corrupt payload can be caught, so don't assert.
       LOG(LS_WARNING) << "Corrupt payload found.";
-      delete received_packet;
       return -1;
     }
 
     blockLength =
         (0x03 & incoming_rtp_packet[header.headerLength + 2]) << 8;
     blockLength += (incoming_rtp_packet[header.headerLength + 3]);
 
     // check next RED header
     if (incoming_rtp_packet[header.headerLength + 4] & 0x80) {
-      // more than 2 blocks in packet not supported
-      delete received_packet;
-      assert(false);
+      LOG(LS_WARNING) << "More than 2 blocks in packet not supported.";
       return -1;
     }
     if (blockLength > payload_data_length - REDHeaderLength) {
-      // block length longer than packet
-      delete received_packet;
-      assert(false);
+      LOG(LS_WARNING) << "Block length longer than packet.";
       return -1;
     }
   }
   ++packet_counter_.num_packets;
 
-  ForwardErrorCorrection::ReceivedPacket* second_received_packet = NULL;
+  rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket>
+      second_received_packet;

[stefan-webrtc, 2015/06/29 13:33:21]

Is this guaranteed to be null if you call release() on it before being set?

[pbos-webrtc, 2015/06/29 13:34:03]

This is default-constructed to nullptr.

   if (blockLength > 0) {
     // handle block length, split into 2 packets
     REDHeaderLength = 5;
 
     // copy the RTP header
     memcpy(received_packet->pkt->data, incoming_rtp_packet,
            header.headerLength);
 
     // replace the RED payload type
     received_packet->pkt->data[1] &= 0x80;  // reset the payload
     received_packet->pkt->data[1] +=
         payload_type;                       // set the media payload type
 
     // copy the payload data
     memcpy(
         received_packet->pkt->data + header.headerLength,
         incoming_rtp_packet + header.headerLength + REDHeaderLength,
         blockLength);
 
     received_packet->pkt->length = blockLength;
 
-    second_received_packet = new ForwardErrorCorrection::ReceivedPacket;
+    second_received_packet.reset(new ForwardErrorCorrection::ReceivedPacket);
     second_received_packet->pkt = new ForwardErrorCorrection::Packet;
 
     second_received_packet->is_fec = true;
     second_received_packet->seq_num = header.sequenceNumber;
     ++packet_counter_.num_fec_packets;
 
     // copy the FEC payload data
     memcpy(second_received_packet->pkt->data,
            incoming_rtp_packet + header.headerLength +
                REDHeaderLength + blockLength,
@@ skipping 27 matching lines @@
     memcpy(
         received_packet->pkt->data + header.headerLength,
         incoming_rtp_packet + header.headerLength + REDHeaderLength,
         payload_data_length - REDHeaderLength);
 
     received_packet->pkt->length =
         header.headerLength + payload_data_length - REDHeaderLength;
   }
 
   if (received_packet->pkt->length == 0) {
-    delete second_received_packet;
-    delete received_packet;
     return 0;
   }
 
-  received_packet_list_.push_back(received_packet);
+  received_packet_list_.push_back(received_packet.release());
   if (second_received_packet) {
-    received_packet_list_.push_back(second_received_packet);
+    received_packet_list_.push_back(second_received_packet.release());
   }
   return 0;
 }
 
 int32_t FecReceiverImpl::ProcessReceivedFec() {
   crit_sect_->Enter();
   if (!received_packet_list_.empty()) {
     // Send received media packet to VCM.
     if (!received_packet_list_.front()->is_fec) {
       ForwardErrorCorrection::Packet* packet =
@@ skipping 25 matching lines @@
       return -1;
     }
     crit_sect_->Enter();
     (*it)->returned = true;
   }
   crit_sect_->Leave();
   return 0;
 }
 
 }  // namespace webrtc