Chromium Code Reviews Chromium Code Reviews
Issue 1238033003:
Prevent OOB reads for truncated H264 STAP-A packets. (Closed)
Base URL: https://chromium.googlesource.com/external/webrtc.git@master| Index: webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc |
| diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc |
| index ba41c620c52f81d2896e76d86e64959442250449..073a67b46977a430d6291b12089bb46f3594b310 100644 |
| --- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc |
| +++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc |
| @@ -40,6 +40,22 @@ enum NalDefs { kFBit = 0x80, kNriMask = 0x60, kTypeMask = 0x1F }; |
| // Bit masks for FU (A and B) headers. |
| enum FuDefs { kSBit = 0x80, kEBit = 0x40, kRBit = 0x20 }; |
| +bool VerifyStapANaluLengths(const uint8_t* nalu_ptr, size_t length_remaining) { |
| + while (length_remaining > 0) { |
|
stefan-webrtc
2015/07/28 14:22:18
Add a TODO to not parse this twice (here and in th
|
| + // Buffer doesn't contain room for additional nalu length. |
| + if (length_remaining < sizeof(uint16_t)) |
| + return false; |
| + uint16_t nalu_size = nalu_ptr[0] << 8 | nalu_ptr[1]; |
| + nalu_ptr += sizeof(uint16_t); |
| + length_remaining -= sizeof(uint16_t); |
| + if (nalu_size > length_remaining) |
| + return false; |
| + nalu_ptr += nalu_size; |
| + length_remaining -= nalu_size; |
| + } |
| + return true; |
| +} |
| + |
| bool ParseSingleNalu(RtpDepacketizer::ParsedPayload* parsed_payload, |
| const uint8_t* payload_data, |
| size_t payload_data_length) { |
| @@ -59,6 +75,9 @@ bool ParseSingleNalu(RtpDepacketizer::ParsedPayload* parsed_payload, |
| LOG(LS_ERROR) << "StapA header truncated."; |
| return false; |
| } |
| + if (!VerifyStapANaluLengths(nalu_start, nalu_length)) |
|
stefan-webrtc
2015/07/28 14:22:19
Log this?
|
| + return false; |
| + |
| nal_type = payload_data[kStapAHeaderSize] & kTypeMask; |
| nalu_start += kStapAHeaderSize; |
| nalu_length -= kStapAHeaderSize; |
