Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(197)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc

Issue 1219703002: Prevent out-of-bounds reads for short FEC packets. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master
Patch Set: feedback Created 5 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc ('K') | « webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc ('k') | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
diff --git a/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc b/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
index 31baf4e767a8997242ce30cba2645e7a94f0298a..3cd2a9e462635c4aa13c654c92da7322c900fb7d 100644
--- a/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
+++ b/webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc
@@ -16,6 +16,7 @@
#include "testing/gtest/include/gtest/gtest.h"
#include "webrtc/base/scoped_ptr.h"
#include "webrtc/modules/rtp_rtcp/interface/fec_receiver.h"
+#include "webrtc/modules/rtp_rtcp/interface/rtp_header_parser.h"
#include "webrtc/modules/rtp_rtcp/mocks/mock_rtp_rtcp.h"
#include "webrtc/modules/rtp_rtcp/source/fec_test_helper.h"
#include "webrtc/modules/rtp_rtcp/source/forward_error_correction.h"
@@ -81,6 +82,10 @@ class ReceiverFecTest : public ::testing::Test {
delete red_packet;
}
+ static void SurvivesMaliciousPacket(const uint8_t* data,
+ size_t length,
+ uint8_t ulpfec_payload_type);
+
MockRtpData rtp_data_callback_;
rtc::scoped_ptr<ForwardErrorCorrection> fec_;
rtc::scoped_ptr<FecReceiver> receiver_fec_;
@@ -362,4 +367,38 @@ TEST_F(ReceiverFecTest, OldFecPacketDropped) {
DeletePackets(&media_packets);
}
+void ReceiverFecTest::SurvivesMaliciousPacket(const uint8_t* data,
+ size_t length,
+ uint8_t ulpfec_payload_type) {
+ webrtc::RTPHeader header;
+ rtc::scoped_ptr<webrtc::RtpHeaderParser> parser(
+ webrtc::RtpHeaderParser::Create());
+ ASSERT_TRUE(parser->Parse(data, length, &header));
+
+ webrtc::NullRtpData null_callback;
+ rtc::scoped_ptr<webrtc::FecReceiver> receiver_fec(
+ webrtc::FecReceiver::Create(&null_callback));
+
+ receiver_fec->AddReceivedRedPacket(header, data, length, ulpfec_payload_type);
+}
+
+TEST_F(ReceiverFecTest, TruncatedPacketWithFBitSet) {
+ const uint8_t kTruncatedPacket[] = {0x80,
+ 0x2a,
+ 0x68,
+ 0x71,
+ 0x29,
+ 0xa1,
+ 0x27,
+ 0x3a,
+ 0x29,
+ 0x12,
+ 0x2a,
+ 0x98,
+ 0xe0,
+ 0x29};
+
+ SurvivesMaliciousPacket(kTruncatedPacket, sizeof(kTruncatedPacket), 100);
+}
+
} // namespace webrtc
« webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc ('K') | « webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc ('k') | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698