Bug 1325513 - Check RTP extension header length. r=jesup, a=gchang
authorNils Ohlmeier [:drno] <drno@ohlmeier.org>
Wed, 12 Apr 2017 15:09:18 -0700
changeset 395944 3cf4e805acc212faa2879420d33f33bb1a29f398
parent 395943 6a768cc3c85a0fb009f4c7dc252ad837b62f818d
child 395945 52424eda8c086537fac06966ee7461d27bd6888f
push id1468
push userasasaki@mozilla.com
push dateMon, 05 Jun 2017 19:31:07 +0000
treeherdermozilla-release@0641fc6ee9d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjesup, gchang
bugs1325513
milestone54.0
Bug 1325513 - Check RTP extension header length. r=jesup, a=gchang MozReview-Commit-ID: 6sUVQjUh8bF
media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
@@ -320,16 +320,21 @@ void RtpHeaderParser::ParseOneByteExtens
     // +-+-+-+-+-+-+-+-+
     // |  ID   |  len  |
     // +-+-+-+-+-+-+-+-+
 
     // Note that 'len' is the header extension element length, which is the
     // number of bytes - 1.
     const int id = (*ptr & 0xf0) >> 4;
     const int len = (*ptr & 0x0f);
+    if (ptr + len + 1 > ptrRTPDataExtensionEnd) {
+      LOG(LS_WARNING)
+          << "RTP extension header length out of bounds. Terminate parsing.";
+      return;
+    }
     ptr++;
 
     if (id == 15) {
       LOG(LS_WARNING)
           << "RTP extension header 15 encountered. Terminate parsing.";
       return;
     }