Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(404)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: webrtc/modules/rtp_rtcp/source/fec_receiver_impl.cc

Issue 1220753003: Prevent OOB reads in FEC packets without complete RED headers. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master
Patch Set: feedback + updated comment Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (c) 2012 The WebRTC project authors. All Rights Reserved. 2 * Copyright (c) 2012 The WebRTC project authors. All Rights Reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
97 uint8_t payload_type = 97 uint8_t payload_type =
98 incoming_rtp_packet[header.headerLength] & 0x7f; 98 incoming_rtp_packet[header.headerLength] & 0x7f;
99 99
100 received_packet->is_fec = payload_type == ulpfec_payload_type; 100 received_packet->is_fec = payload_type == ulpfec_payload_type;
101 received_packet->seq_num = header.sequenceNumber; 101 received_packet->seq_num = header.sequenceNumber;
102 102
103 uint16_t blockLength = 0; 103 uint16_t blockLength = 0;
104 if (incoming_rtp_packet[header.headerLength] & 0x80) { 104 if (incoming_rtp_packet[header.headerLength] & 0x80) {
105 // f bit set in RED header 105 // f bit set in RED header
106 REDHeaderLength = 4; 106 REDHeaderLength = 4;
107 if (payload_data_length < REDHeaderLength) { 107 if (payload_data_length < REDHeaderLength + 1u) {
108 LOG(LS_WARNING) << "Corrupt/truncated FEC packet."; 108 LOG(LS_WARNING) << "Corrupt/truncated FEC packet.";
109 return -1; 109 return -1;
110 } 110 }
111 111
112 uint16_t timestamp_offset = 112 uint16_t timestamp_offset =
113 (incoming_rtp_packet[header.headerLength + 1]) << 8; 113 (incoming_rtp_packet[header.headerLength + 1]) << 8;
114 timestamp_offset += 114 timestamp_offset +=
115 incoming_rtp_packet[header.headerLength + 2]; 115 incoming_rtp_packet[header.headerLength + 2];
116 timestamp_offset = timestamp_offset >> 2; 116 timestamp_offset = timestamp_offset >> 2;
117 if (timestamp_offset != 0) { 117 if (timestamp_offset != 0) {
118 LOG(LS_WARNING) << "Corrupt payload found."; 118 LOG(LS_WARNING) << "Corrupt payload found.";
119 return -1; 119 return -1;
120 } 120 }
121 121
122 blockLength = 122 blockLength =
123 (0x03 & incoming_rtp_packet[header.headerLength + 2]) << 8; 123 (0x03 & incoming_rtp_packet[header.headerLength + 2]) << 8;
124 blockLength += (incoming_rtp_packet[header.headerLength + 3]); 124 blockLength += (incoming_rtp_packet[header.headerLength + 3]);
125 125
126 // check next RED header 126 // check next RED header
127 if (incoming_rtp_packet[header.headerLength + 4] & 0x80) { 127 if (incoming_rtp_packet[header.headerLength + 4] & 0x80) {
128 LOG(LS_WARNING) << "More than 2 blocks in packet not supported."; 128 LOG(LS_WARNING) << "More than 2 blocks in packet not supported.";
129 return -1; 129 return -1;
130 } 130 }
131 if (blockLength > payload_data_length - REDHeaderLength) { 131 // Check that the packet is long enough to contain data in the following
132 // block.
133 if (blockLength > payload_data_length - (REDHeaderLength + 1)) {
132 LOG(LS_WARNING) << "Block length longer than packet."; 134 LOG(LS_WARNING) << "Block length longer than packet.";
133 return -1; 135 return -1;
134 } 136 }
135 } 137 }
136 ++packet_counter_.num_packets; 138 ++packet_counter_.num_packets;
137 139
138 rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket> 140 rtc::scoped_ptr<ForwardErrorCorrection::ReceivedPacket>
139 second_received_packet; 141 second_received_packet;
140 if (blockLength > 0) { 142 if (blockLength > 0) {
141 // handle block length, split into 2 packets 143 // handle block length, split into 2 packets
(...skipping 108 matching lines...) Expand 10 before | Expand all | Expand 10 after
250 return -1; 252 return -1;
251 } 253 }
252 crit_sect_->Enter(); 254 crit_sect_->Enter();
253 (*it)->returned = true; 255 (*it)->returned = true;
254 } 256 }
255 crit_sect_->Leave(); 257 crit_sect_->Leave();
256 return 0; 258 return 0;
257 } 259 }
258 260
259 } // namespace webrtc 261 } // namespace webrtc
OLDNEW
« no previous file with comments | « no previous file | webrtc/modules/rtp_rtcp/source/fec_receiver_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698