| ☠☠ backed out by 37e87a7c3771 ☠ ☠ | |
| author | Paul Ellenbogen <pe5@cs.princeton.edu> |
| Tue, 12 Jul 2016 11:15:10 -0700 | |
| changeset 306045 | 9fa64e0224e2c16a8097d1d3b3c7d17cc2d59a1a |
| parent 306044 | eb0a5aab8c1338f9b02c1c91adb95f3436661960 |
| child 306046 | 90c6741cda5d9ae5cc472bfe2e819b2f9501e8cc |
| push id | 30474 |
| push user | cbook@mozilla.com |
| push date | Thu, 21 Jul 2016 14:25:10 +0000 |
| treeherder | mozilla-central@6b180266ac16 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | bwc |
| bugs | 1204099 |
| milestone | 50.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/media/webrtc/signaling/src/jsep/JsepSessionImpl.cpp +++ b/media/webrtc/signaling/src/jsep/JsepSessionImpl.cpp @@ -32,16 +32,27 @@ MOZ_MTLOG_MODULE("jsep") #define JSEP_SET_ERROR(error) \ do { \ std::ostringstream os; \ os << error; \ mLastError = os.str(); \ MOZ_MTLOG(ML_ERROR, mLastError); \ } while (0); +static std::bitset<128> GetForbiddenSdpPayloadTypes() { + std::bitset<128> forbidden(0); + forbidden[1] = true; + forbidden[2] = true; + forbidden[19] = true; + for (uint16_t i = 64; i < 96; ++i) { + forbidden[i] = true; + } + return forbidden; +} + nsresult JsepSessionImpl::Init() { mLastError.clear(); MOZ_ASSERT(!mSessionId, "Init called more than once"); nsresult rv = SetupIds(); @@ -1653,26 +1664,31 @@ JsepSessionImpl::ParseSdp(const std::str } trackIds.insert(trackId); } else if (rv != NS_ERROR_NOT_AVAILABLE) { // Error has already been set return rv; } + static const std::bitset<128> forbidden = GetForbiddenSdpPayloadTypes(); if (msection.GetMediaType() == SdpMediaSection::kAudio || msection.GetMediaType() == SdpMediaSection::kVideo) { // Sanity-check that payload type can work with RTP for (const std::string& fmt : msection.GetFormats()) { uint16_t payloadType; // TODO (bug 1204099): Make this check for reserved ranges. if (!SdpHelper::GetPtAsInt(fmt, &payloadType) || payloadType > 127) { JSEP_SET_ERROR("audio/video payload type is too large: " << fmt); return NS_ERROR_INVALID_ARG; } + if (forbidden.test(payloadType)) { + JSEP_SET_ERROR("Illegal audio/video payload type: " << fmt); + return NS_ERROR_INVALID_ARG; + } } } } *parsedp = Move(parsed); return NS_OK; }
--- a/media/webrtc/signaling/test/jsep_session_unittest.cpp +++ b/media/webrtc/signaling/test/jsep_session_unittest.cpp @@ -2115,16 +2115,31 @@ TEST_P(JsepSessionTest, RenegotiationAns } ASSERT_NE(newOffererPairs[0].mRtpTransport.get(), offererPairs[0].mRtpTransport.get()); ASSERT_NE(newAnswererPairs[0].mRtpTransport.get(), answererPairs[0].mRtpTransport.get()); } +TEST_P(JsepSessionTest, ParseRejectsBadMediaFormat) +{ + if (GetParam() == "datachannel") { + return; + } + AddTracks(mSessionOff); + std::string offer = CreateOffer(); + UniquePtr<Sdp> munge(Parse(offer)); + SdpMediaSection& mediaSection = munge->GetMediaSection(0); + mediaSection.AddCodec("75", "DummyFormatVal", 8000, 1); + std::string sdpString = munge->ToString(); + nsresult rv = mSessionOff.SetLocalDescription(kJsepSdpOffer, sdpString); + ASSERT_EQ(NS_ERROR_INVALID_ARG, rv); +} + TEST_P(JsepSessionTest, FullCallWithCandidates) { AddTracks(mSessionOff); std::string offer = CreateOffer(); SetLocalOffer(offer); mOffCandidates.Gather(mSessionOff, types); UniquePtr<Sdp> localOffer(Parse(mSessionOff.GetLocalDescription()));