diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-06 14:25:03 +0200 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-09-14 15:24:31 +0000 |
| commit | 02d134e58d368837b746893ce2aafce483ae4e2b (patch) | |
| tree | 022babd16a04a8d8c3ac7a072f34e5a85ed391fa | |
| parent | af4500d25e07e0931edcf0f497f9b0c7791a3318 (diff) | |
[Backport] CVE-2018-16083
Fix handling invalid empty red packets
Bug: chromium:856823
Change-Id: Ie50e37f3377d5f7fce0ae17005bcd332af80ff9e
Reviewed-by: Åsa Persson <asapersson@webrtc.org>
Reviewed-by: Michael Brüning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/video/rtp_video_stream_receiver.cc | 3 | ||||
| -rw-r--r-- | chromium/third_party/webrtc/video/rtp_video_stream_receiver_unittest.cc | 23 |
2 files changed, 25 insertions, 1 deletions
diff --git a/chromium/third_party/webrtc/video/rtp_video_stream_receiver.cc b/chromium/third_party/webrtc/video/rtp_video_stream_receiver.cc index 238eaf34740..8f82d6291c3 100644 --- a/chromium/third_party/webrtc/video/rtp_video_stream_receiver.cc +++ b/chromium/third_party/webrtc/video/rtp_video_stream_receiver.cc @@ -461,7 +461,8 @@ void RtpVideoStreamReceiver::ReceivePacket(const uint8_t* packet, void RtpVideoStreamReceiver::ParseAndHandleEncapsulatingHeader( const uint8_t* packet, size_t packet_length, const RTPHeader& header) { RTC_DCHECK_CALLED_SEQUENTIALLY(&worker_task_checker_); - if (rtp_payload_registry_.IsRed(header)) { + if (rtp_payload_registry_.IsRed(header) && + packet_length > header.headerLength + header.paddingLength) { int8_t ulpfec_pt = rtp_payload_registry_.ulpfec_payload_type(); if (packet[header.headerLength] == ulpfec_pt) { rtp_receive_statistics_->FecPacketReceived(header, packet_length); diff --git a/chromium/third_party/webrtc/video/rtp_video_stream_receiver_unittest.cc b/chromium/third_party/webrtc/video/rtp_video_stream_receiver_unittest.cc index 297218205f2..d6300f5f638 100644 --- a/chromium/third_party/webrtc/video/rtp_video_stream_receiver_unittest.cc +++ b/chromium/third_party/webrtc/video/rtp_video_stream_receiver_unittest.cc @@ -218,6 +218,29 @@ TEST_F(RtpVideoStreamReceiverTest, GenericKeyFrame) { &rtp_header); } +TEST_F(RtpVideoStreamReceiverTest, + DropsPacketWithRedPayloadTypeAndEmptyPayload) { + const uint8_t kRedPayloadType = 125; + config_.rtp.red_payload_type = kRedPayloadType; + SetUp(); // re-create rtp_video_stream_receiver with red payload type. + // clang-format off + const uint8_t data[] = { + 0x80, // RTP version. + kRedPayloadType, // Payload type. + 0, 0, 0, 0, 0, 0, // Don't care. + 0, 0, 0x4, 0x57, // SSRC + // Empty rtp payload. + }; + // clang-format on + RtpPacketReceived packet; + // Manually convert to CopyOnWriteBuffer to be sure capacity == size + // and asan bot can catch read buffer overflow. + EXPECT_TRUE(packet.Parse(rtc::CopyOnWriteBuffer(data))); + rtp_video_stream_receiver_->StartReceive(); + rtp_video_stream_receiver_->OnRtpPacket(packet); + // Expect asan doesn't find anything. +} + TEST_F(RtpVideoStreamReceiverTest, GenericKeyFrameBitstreamError) { WebRtcRTPHeader rtp_header; const std::vector<uint8_t> data({1, 2, 3, 4}); |