webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc - Issue 1221643009: Prevent depacketizer OOB reads on zero-length VP8 payload.

Side by Side Diff: webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc

Issue 1221643009: Prevent depacketizer OOB reads on zero-length VP8 payload. (Closed) Base URL: https://chromium.googlesource.com/external/webrtc.git@master

Patch Set: Created 5 years, 5 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 /*	1 /*

2 * Copyright (c) 2011 The WebRTC project authors. All Rights Reserved.	2 * Copyright (c) 2011 The WebRTC project authors. All Rights Reserved.

3 *	3 *

4 * Use of this source code is governed by a BSD-style license	4 * Use of this source code is governed by a BSD-style license

5 * that can be found in the LICENSE file in the root of the source	5 * that can be found in the LICENSE file in the root of the source

6 * tree. An additional intellectual property rights grant can be found	6 * tree. An additional intellectual property rights grant can be found

7 * in the file PATENTS. All contributing project authors may	7 * in the file PATENTS. All contributing project authors may

8 * be found in the AUTHORS file in the root of the source tree.	8 * be found in the AUTHORS file in the root of the source tree.

9 */	9 */

10	10

(...skipping 650 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
661 // 0 1 2 3 4 5 6 7	661 // 0 1 2 3 4 5 6 7

662 // +-+-+-+-+-+-+-+-+	662 // +-+-+-+-+-+-+-+-+

663 // \|Size0\|H\| VER \|P\|	663 // \|Size0\|H\| VER \|P\|

664 // +-+-+-+-+-+-+-+-+	664 // +-+-+-+-+-+-+-+-+

665 // \| ... \|	665 // \| ... \|

666 // + +	666 // + +

667 bool RtpDepacketizerVp8::Parse(ParsedPayload* parsed_payload,	667 bool RtpDepacketizerVp8::Parse(ParsedPayload* parsed_payload,

668 const uint8_t* payload_data,	668 const uint8_t* payload_data,

669 size_t payload_data_length) {	669 size_t payload_data_length) {

670 assert(parsed_payload != NULL);	670 assert(parsed_payload != NULL);

	671 if (payload_data_length == 0) {

	672 LOG(LS_ERROR) << "Empty payload.";

	673 return false;

	674 }

671	675

672 // Parse mandatory first byte of payload descriptor.	676 // Parse mandatory first byte of payload descriptor.

673 bool extension = (*payload_data & 0x80) ? true : false; // X bit	677 bool extension = (*payload_data & 0x80) ? true : false; // X bit

674 bool beginning_of_partition = (*payload_data & 0x10) ? true : false; // S bit	678 bool beginning_of_partition = (*payload_data & 0x10) ? true : false; // S bit

675 int partition_id = (*payload_data & 0x0F); // PartID field	679 int partition_id = (*payload_data & 0x0F); // PartID field

676	680

677 parsed_payload->type.Video.width = 0;	681 parsed_payload->type.Video.width = 0;

678 parsed_payload->type.Video.height = 0;	682 parsed_payload->type.Video.height = 0;

679 parsed_payload->type.Video.isFirstPacket =	683 parsed_payload->type.Video.isFirstPacket =

680 beginning_of_partition && (partition_id == 0);	684 beginning_of_partition && (partition_id == 0);

(...skipping 49 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
730 if (ParseVP8FrameSize(parsed_payload, payload_data, payload_data_length) !=	734 if (ParseVP8FrameSize(parsed_payload, payload_data, payload_data_length) !=

731 0) {	735 0) {

732 return false;	736 return false;

733 }	737 }

734	738

735 parsed_payload->payload = payload_data;	739 parsed_payload->payload = payload_data;

736 parsed_payload->payload_length = payload_data_length;	740 parsed_payload->payload_length = payload_data_length;

737 return true;	741 return true;

738 }	742 }

739 } // namespace webrtc	743 } // namespace webrtc

OLD	NEW

« no previous file with comments | « no previous file | webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc » ('j') | no next file with comments »