Prevent out-of-bounds reads for short FEC packets.

webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc

Index: webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc
diff --git a/webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc b/webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc
index 9d9550b0b1bf966d667604df42866cb27af7760b..ce240860a5881cf6b2260054611db071f7e2b9de 100644
--- a/webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc
+++ b/webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc
@@ -81,11 +81,16 @@ int32_t FecReceiverImpl::AddReceivedRedPacket(
   uint8_t REDHeaderLength = 1;
   size_t payload_data_length = packet_length - header.headerLength;
 
+  if (payload_data_length == 0) {
+    LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+    return -1;
+  }
+
   // Add to list without RED header, aka a virtual RTP packet
   // we remove the RED header
 
-  ForwardErrorCorrection::ReceivedPacket* received_packet =
-      new ForwardErrorCorrection::ReceivedPacket;
+  rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket> received_packet(
+      new ForwardErrorCorrection::ReceivedPacket);
   received_packet->pkt = new ForwardErrorCorrection::Packet;
 
   // get payload type from RED header
@@ -99,16 +104,18 @@ int32_t FecReceiverImpl::AddReceivedRedPacket(
   if (incoming_rtp_packet[header.headerLength] & 0x80) {
     // f bit set in RED header
     REDHeaderLength = 4;
+    if (payload_data_length < REDHeaderLength) {
+      LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
+      return -1;
+    }
+
     uint16_t timestamp_offset =
         (incoming_rtp_packet[header.headerLength + 1]) << 8;
     timestamp_offset +=
         incoming_rtp_packet[header.headerLength + 2];
     timestamp_offset = timestamp_offset >> 2;
     if (timestamp_offset != 0) {
-      // |timestampOffset| should be 0. However, it's possible this is the first
-      // location a corrupt payload can be caught, so don't assert.
       LOG(LS_WARNING) << "Corrupt payload found.";
-      delete received_packet;
       return -1;
     }
 
@@ -118,21 +125,18 @@ int32_t FecReceiverImpl::AddReceivedRedPacket(
 
     // check next RED header
     if (incoming_rtp_packet[header.headerLength + 4] & 0x80) {
-      // more than 2 blocks in packet not supported
-      delete received_packet;
-      assert(false);
+      LOG(LS_WARNING) << "More than 2 blocks in packet not supported.";
       return -1;
     }
     if (blockLength > payload_data_length - REDHeaderLength) {
-      // block length longer than packet
-      delete received_packet;
-      assert(false);
+      LOG(LS_WARNING) << "Block length longer than packet.";
       return -1;
     }
   }
   ++packet_counter_.num_packets;
 
-  ForwardErrorCorrection::ReceivedPacket* second_received_packet = NULL;
+  rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket>
+      second_received_packet;

[stefan-webrtc, 2015/06/29 13:33:21]

Is this guaranteed to be null if you call release() on it before being set?

[pbos-webrtc, 2015/06/29 13:34:03]

This is default-constructed to nullptr.

   if (blockLength > 0) {
     // handle block length, split into 2 packets
     REDHeaderLength = 5;
@@ -154,7 +158,7 @@ int32_t FecReceiverImpl::AddReceivedRedPacket(
 
     received_packet->pkt->length = blockLength;
 
-    second_received_packet = new ForwardErrorCorrection::ReceivedPacket;
+    second_received_packet.reset(new ForwardErrorCorrection::ReceivedPacket);
     second_received_packet->pkt = new ForwardErrorCorrection::Packet;
 
     second_received_packet->is_fec = true;
@@ -202,14 +206,12 @@ int32_t FecReceiverImpl::AddReceivedRedPacket(
   }
 
   if (received_packet->pkt->length == 0) {
-    delete second_received_packet;
-    delete received_packet;
     return 0;
   }
 
-  received_packet_list_.push_back(received_packet);
+  received_packet_list_.push_back(received_packet.release());
   if (second_received_packet) {
-    received_packet_list_.push_back(second_received_packet);
+    received_packet_list_.push_back(second_received_packet.release());
   }
   return 0;
 }