Bug 1297808: Limit combined size of RTCP APP packets r=drno
authorRandell Jesup <rjesup@jesup.org>
Mon, 29 Aug 2016 13:23:51 -0400
changeset 311673 a0b45e0de73a73760727c6ede2a676527e090498
parent 311672 5ce59b4fb51473abc7a0b2f233a5a99f01465a9f
child 311674 03da0450bbfd3bf1495bbd4240c39421b5286754
push id20413
push userkwierso@gmail.com
push dateTue, 30 Aug 2016 00:56:45 +0000
treeherderfx-team@fecb1018cdcb [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdrno
bugs1297808
milestone51.0a1
Bug 1297808: Limit combined size of RTCP APP packets r=drno
media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtcp_receiver_help.cc
--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtcp_receiver_help.cc
+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtcp_receiver_help.cc
@@ -57,16 +57,19 @@ void RTCPPacketInformation::AddApplicati
     uint8_t* oldData = applicationData;
     uint16_t oldLength = applicationLength;
 
     // Don't copy more than kRtcpAppCode_DATA_SIZE bytes.
     uint16_t copySize = size;
     if (size > kRtcpAppCode_DATA_SIZE) {
         copySize = kRtcpAppCode_DATA_SIZE;
     }
+    if (((uint32_t) applicationLength) + copySize > UINT16_MAX) {
+      return;
+    }
 
     applicationLength += copySize;
     applicationData = new uint8_t[applicationLength];
 
     if (oldData)
     {
         memcpy(applicationData, oldData, oldLength);
         memcpy(applicationData+oldLength, data, copySize);