diff options
author | Bjorn Terelius <terelius@webrtc.org> | 2020-10-05 15:58:01 +0200 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-12-01 15:33:42 +0000 |
commit | 42a1a175af1240df2e0e87ab51403b52d4c9ec18 (patch) | |
tree | 09ef7a25822935530f4b30d336090e276627cf2e | |
parent | 811208e7b603d78c48f7ba081f882b61791443da (diff) |
[Backport] CVE-2020-16008: Stack buffer overflow in WebRTC
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/186720:
Allow RTCP packets longer than 1500 bytes in RTC event log.
Bug: chromium:1134107
Change-Id: I05da32c57537c3c2fddae96918ff4e4685d62043
Reviewed-by: Elad Alon <eladalon@webrtc.org>
Commit-Queue: Björn Terelius <terelius@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#32315}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc b/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc index 54c4031fc14..498e6003b8b 100644 --- a/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc +++ b/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc @@ -670,8 +670,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket( rtcp::CommonHeader header; const uint8_t* block_begin = packet.data(); const uint8_t* packet_end = packet.data() + packet.size(); - RTC_DCHECK(packet.size() <= IP_PACKET_SIZE); - uint8_t buffer[IP_PACKET_SIZE]; + std::vector<uint8_t> buffer(packet.size()); uint32_t buffer_length = 0; while (block_begin < packet_end) { if (!header.Parse(block_begin, packet_end - block_begin)) { @@ -690,7 +689,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket( // We log sender reports, receiver reports, bye messages // inter-arrival jitter, third-party loss reports, payload-specific // feedback and extended reports. - memcpy(buffer + buffer_length, block_begin, block_size); + memcpy(buffer.data() + buffer_length, block_begin, block_size); buffer_length += block_size; break; case rtcp::App::kPacketType: @@ -703,7 +702,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket( block_begin += block_size; } - rtclog_event.mutable_rtcp_packet()->set_packet_data(buffer, buffer_length); + rtclog_event.mutable_rtcp_packet()->set_packet_data(buffer.data(), buffer_length); return Serialize(&rtclog_event); } |