Fixing SDP parsing crash due to invalid port numbers.

webrtc/pc/webrtcsdp.cc

 /*
  *  Copyright 2011 The WebRTC project authors. All Rights Reserved.
  *
  *  Use of this source code is governed by a BSD-style license
  *  that can be found in the LICENSE file in the root of the source
  *  tree. An additional intellectual property rights grant can be found
  *  in the file PATENTS.  All contributing project authors may
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
@@ skipping 61 matching lines @@
 using cricket::StreamParamsVec;
 using cricket::TransportDescription;
 using cricket::TransportInfo;
 using cricket::VideoContentDescription;
 using rtc::SocketAddress;
 
 namespace cricket {
 class SessionDescription;
 }
 
+// TODO(deadbeef): Switch to using anonymous namespace rather than declaring
+// everything "static".
 namespace webrtc {
 
 // Line type
 // RFC 4566
 // An SDP session description consists of a number of lines of text of
 // the form:
 // <type>=<value>
 // where <type> MUST be exactly one case-significant character.
 static const int kLinePrefixLength = 2;  // Length of <type>=
 static const char kLineTypeVersion = 'v';
@@ skipping 691 matching lines @@
   if (!candidates) {
     return;
   }
   const IceCandidateCollection* cc = desci.candidates(mline_index);
   for (size_t i = 0; i < cc->count(); ++i) {
     const IceCandidateInterface* candidate = cc->at(i);
     candidates->push_back(candidate->candidate());
   }
 }
 
+static bool IsValidPort(int port) {
+  return port >= 0 && port <= 65535;
+}
+
 std::string SdpSerialize(const JsepSessionDescription& jdesc,
                          bool unified_plan_sdp) {
   const cricket::SessionDescription* desc = jdesc.description();
   if (!desc) {
     return "";
   }
 
   std::string message;
 
   // Session Description.
@@ skipping 216 matching lines @@
   const std::string& transport = fields[2];
   uint32_t priority = 0;
   if (!GetValueFromString(first_line, fields[3], &priority, error)) {
     return false;
   }
   const std::string& connection_address = fields[4];
   int port = 0;
   if (!GetValueFromString(first_line, fields[5], &port, error)) {
     return false;
   }
+  if (!IsValidPort(port)) {
+    return ParseFailed(first_line, "Invalid port number.", error);
+  }
   SocketAddress address(connection_address, port);
 
   cricket::ProtocolType protocol;
   if (!StringToProto(transport.c_str(), &protocol)) {
     return ParseFailed(first_line, "Unsupported transport type.", error);
   }
   switch (protocol) {
     case cricket::PROTO_UDP:
     case cricket::PROTO_TCP:
     case cricket::PROTO_SSLTCP:
@@ skipping 26 matching lines @@
     related_address.SetIP(fields[++current_position]);
     ++current_position;
   }
   if (fields.size() >= (current_position + 2) &&
       fields[current_position] == kAttributeCandidateRport) {
     int port = 0;
     if (!GetValueFromString(
         first_line, fields[++current_position], &port, error)) {
       return false;
     }
+    if (!IsValidPort(port)) {
+      return ParseFailed(first_line, "Invalid port number.", error);
+    }
     related_address.SetPort(port);
     ++current_position;
   }
 
   // If this is a TCP candidate, it has additional extension as defined in
   // RFC 6544.
   std::string tcptype;
   if (fields.size() >= (current_position + 2) &&
       fields[current_position] == kTcpCandidateType) {
     tcptype = fields[++current_position];
@@ skipping 2106 matching lines @@
     UpdateCodec<AudioContentDescription, cricket::AudioCodec>(
         media_desc, payload_type, feedback_param);
   } else if (media_type == cricket::MEDIA_TYPE_VIDEO) {
     UpdateCodec<VideoContentDescription, cricket::VideoCodec>(
         media_desc, payload_type, feedback_param);
   }
   return true;
 }
 
 }  // namespace webrtc