diff options
author | Roger Zanoni <rzanoni@google.com> | 2022-07-04 11:39:45 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2022-07-25 16:38:49 +0000 |
commit | 26a4642061b331931a6026dc70ef37808b310bfd (patch) | |
tree | 89991f399f9fcc01ffabcc36dc459328488602c8 /chromium | |
parent | cc0b897269b09d5bfca56ab7de5c05004916f598 (diff) |
[Backport] CVE-2022-2294: Heap buffer overflow in WebRTC (2/2)
Manual cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267640:
[M96-LTS] Ignore RID that appears without an a=simulcast entry
RID is defined for multiple usages in RFC 8851, but we only support
usage with a=simulcast as specified in RFC 8853.
Bug: chromium:1341043
Change-Id: Ie72074c5b394bdc41865938a86ec9c7629e1f5e0
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37417}
(cherry picked from commit 1c5808145e8b151800b0320b8a7316a09b706488)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium')
-rw-r--r-- | chromium/third_party/webrtc/pc/webrtc_sdp.cc | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/chromium/third_party/webrtc/pc/webrtc_sdp.cc b/chromium/third_party/webrtc/pc/webrtc_sdp.cc index 54a646778d3..4fd8a36f816 100644 --- a/chromium/third_party/webrtc/pc/webrtc_sdp.cc +++ b/chromium/third_party/webrtc/pc/webrtc_sdp.cc @@ -3308,7 +3308,11 @@ bool ParseContent(const std::string& message, media_desc->set_simulcast_description(simulcast); } else { - send_rids = rids; + // RID is specified in RFC 8851, which identifies a lot of usages. + // We only support RFC 8853 usage of RID, not anything else. + // Ignore all RID parameters when a=simulcast is missing. + // In particular do NOT do send_rids = rids; + RTC_LOG(LS_VERBOSE) << "Ignoring send_rids without simulcast"; } media_desc->set_receive_rids(receive_rids); |