summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjorn Terelius <terelius@webrtc.org>2020-10-05 15:58:01 +0200
committerMichael Brüning <michael.bruning@qt.io>2020-12-01 15:33:42 +0000
commit42a1a175af1240df2e0e87ab51403b52d4c9ec18 (patch)
tree09ef7a25822935530f4b30d336090e276627cf2e
parent811208e7b603d78c48f7ba081f882b61791443da (diff)
[Backport] CVE-2020-16008: Stack buffer overflow in WebRTC
Manual backport of patch originally reviewed on https://webrtc-review.googlesource.com/c/src/+/186720: Allow RTCP packets longer than 1500 bytes in RTC event log. Bug: chromium:1134107 Change-Id: I05da32c57537c3c2fddae96918ff4e4685d62043 Reviewed-by: Elad Alon <eladalon@webrtc.org> Commit-Queue: Björn Terelius <terelius@webrtc.org> Cr-Commit-Position: refs/heads/master@{#32315} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Diffstat
-rw-r--r--chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc7
1 files changed, 3 insertions, 4 deletions
diff --git a/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc b/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc
index 54c4031fc14..498e6003b8b 100644
--- a/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc
+++ b/chromium/third_party/webrtc/logging/rtc_event_log/encoder/rtc_event_log_encoder_legacy.cc
@@ -670,8 +670,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket(
rtcp::CommonHeader header;
const uint8_t* block_begin = packet.data();
const uint8_t* packet_end = packet.data() + packet.size();
- RTC_DCHECK(packet.size() <= IP_PACKET_SIZE);
- uint8_t buffer[IP_PACKET_SIZE];
+ std::vector<uint8_t> buffer(packet.size());
uint32_t buffer_length = 0;
while (block_begin < packet_end) {
if (!header.Parse(block_begin, packet_end - block_begin)) {
@@ -690,7 +689,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket(
// We log sender reports, receiver reports, bye messages
// inter-arrival jitter, third-party loss reports, payload-specific
// feedback and extended reports.
- memcpy(buffer + buffer_length, block_begin, block_size);
+ memcpy(buffer.data() + buffer_length, block_begin, block_size);
buffer_length += block_size;
break;
case rtcp::App::kPacketType:
@@ -703,7 +702,7 @@ std::string RtcEventLogEncoderLegacy::EncodeRtcpPacket(
block_begin += block_size;
}
- rtclog_event.mutable_rtcp_packet()->set_packet_data(buffer, buffer_length);
+ rtclog_event.mutable_rtcp_packet()->set_packet_data(buffer.data(), buffer_length);
return Serialize(&rtclog_event);
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-25 13:23:57 +0000