Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(367)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc

Issue 2677073002: Fix potential use after free in H264 packetizer. (Closed)
Patch Set: Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 /* 1 /*
2 * Copyright (c) 2014 The WebRTC project authors. All Rights Reserved. 2 * Copyright (c) 2014 The WebRTC project authors. All Rights Reserved.
3 * 3 *
4 * Use of this source code is governed by a BSD-style license 4 * Use of this source code is governed by a BSD-style license
5 * that can be found in the LICENSE file in the root of the source 5 * that can be found in the LICENSE file in the root of the source
6 * tree. An additional intellectual property rights grant can be found 6 * tree. An additional intellectual property rights grant can be found
7 * in the file PATENTS. All contributing project authors may 7 * in the file PATENTS. All contributing project authors may
8 * be found in the AUTHORS file in the root of the source tree. 8 * be found in the AUTHORS file in the root of the source tree.
9 */ 9 */
10 10
(...skipping 275 matching lines...) Expand 10 before | Expand all | Expand 10 after
286 } 286 }
287 287
288 void RtpPacketizerH264::NextAggregatePacket(RtpPacketToSend* rtp_packet) { 288 void RtpPacketizerH264::NextAggregatePacket(RtpPacketToSend* rtp_packet) {
289 uint8_t* buffer = rtp_packet->AllocatePayload(max_payload_len_); 289 uint8_t* buffer = rtp_packet->AllocatePayload(max_payload_len_);
290 RTC_DCHECK(buffer); 290 RTC_DCHECK(buffer);
291 PacketUnit* packet = &packets_.front(); 291 PacketUnit* packet = &packets_.front();
292 RTC_CHECK(packet->first_fragment); 292 RTC_CHECK(packet->first_fragment);
293 // STAP-A NALU header. 293 // STAP-A NALU header.
294 buffer[0] = (packet->header & (kFBit | kNriMask)) | H264::NaluType::kStapA; 294 buffer[0] = (packet->header & (kFBit | kNriMask)) | H264::NaluType::kStapA;
295 size_t index = kNalHeaderSize; 295 size_t index = kNalHeaderSize;
296 bool is_last_fragment = packet->last_fragment;
296 while (packet->aggregated) { 297 while (packet->aggregated) {
297 const Fragment& fragment = packet->source_fragment; 298 const Fragment& fragment = packet->source_fragment;
298 // Add NAL unit length field. 299 // Add NAL unit length field.
299 ByteWriter<uint16_t>::WriteBigEndian(&buffer[index], fragment.length); 300 ByteWriter<uint16_t>::WriteBigEndian(&buffer[index], fragment.length);
300 index += kLengthFieldSize; 301 index += kLengthFieldSize;
301 // Add NAL unit. 302 // Add NAL unit.
302 memcpy(&buffer[index], fragment.buffer, fragment.length); 303 memcpy(&buffer[index], fragment.buffer, fragment.length);
303 index += fragment.length; 304 index += fragment.length;
304 packets_.pop(); 305 packets_.pop();
305 input_fragments_.pop_front(); 306 input_fragments_.pop_front();
306 if (packet->last_fragment) 307 if (is_last_fragment)
307 break; 308 break;
308 packet = &packets_.front(); 309 packet = &packets_.front();
310 is_last_fragment = packet->last_fragment;
309 } 311 }
310 RTC_CHECK(packet->last_fragment); 312 RTC_CHECK(is_last_fragment);
311 rtp_packet->SetPayloadSize(index); 313 rtp_packet->SetPayloadSize(index);
312 } 314 }
313 315
314 void RtpPacketizerH264::NextFragmentPacket(RtpPacketToSend* rtp_packet) { 316 void RtpPacketizerH264::NextFragmentPacket(RtpPacketToSend* rtp_packet) {
315 PacketUnit* packet = &packets_.front(); 317 PacketUnit* packet = &packets_.front();
316 // NAL unit fragmented over multiple packets (FU-A). 318 // NAL unit fragmented over multiple packets (FU-A).
317 // We do not send original NALU header, so it will be replaced by the 319 // We do not send original NALU header, so it will be replaced by the
318 // FU indicator header of the first packet. 320 // FU indicator header of the first packet.
319 uint8_t fu_indicator = 321 uint8_t fu_indicator =
320 (packet->header & (kFBit | kNriMask)) | H264::NaluType::kFuA; 322 (packet->header & (kFBit | kNriMask)) | H264::NaluType::kFuA;
(...skipping 298 matching lines...) Expand 10 before | Expand all | Expand 10 after
619 h264->packetization_type = kH264FuA; 621 h264->packetization_type = kH264FuA;
620 h264->nalu_type = original_nal_type; 622 h264->nalu_type = original_nal_type;
621 if (first_fragment) { 623 if (first_fragment) {
622 h264->nalus[h264->nalus_length] = nalu; 624 h264->nalus[h264->nalus_length] = nalu;
623 h264->nalus_length = 1; 625 h264->nalus_length = 1;
624 } 626 }
625 return true; 627 return true;
626 } 628 }
627 629
628 } // namespace webrtc 630 } // namespace webrtc
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698