commit 1e675c7835f188cd8be228f5da6d3467690355b8
author Danil Chapovalov <danilchap@webrtc.org> Mon Jan 02 09:44:27 2023
committer WebRTC LUCI CQ <webrtc-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Jan 26 12:49:32 2023
tree 5bf629b78dc84cd3ab4cb0f77baf0042874264f6
parent 36b2ad31c8d06c9cbc0d7ec7331b466031d010cb

Zero memory for FEC recovered packets when size increases

rtc::CopyOnWriteBuffer::SetSize extends buffer with uninitialized memory by design.
It is up to the user of the rtc::CopyOnWriteBuffer to ensure it is initialized.

(cherry picked from commit 4f74385b4f568df77055f99b04de41557ffd022a)

No-Try: true
Bug: chromium:1404299
Change-Id: I41f3f91bf20ff440984d78ed81e01f5db36ff509
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/290400
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Per Kjellander <perkj@webrtc.org>
Cr-Original-Commit-Position: refs/heads/main@{#38972}
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/291541
Cr-Commit-Position: refs/branch-heads/5481@{#4}
Cr-Branched-From: 2e1a9a4ae0234d4b1ea7a6fd4188afa1fb20379d-refs/heads/main@{#38901}

modules/rtp_rtcp/source/forward_error_correction.cc

diff --git a/modules/rtp_rtcp/source/forward_error_correction.cc b/modules/rtp_rtcp/source/forward_error_correction.cc
index dbf6c36..1462c2f 100644
--- a/modules/rtp_rtcp/source/forward_error_correction.cc
+++ b/modules/rtp_rtcp/source/forward_error_correction.cc
@@ -225,10 +225,10 @@
 
         size_t fec_packet_length = fec_header_size + media_payload_length;
         if (fec_packet_length > fec_packet->data.size()) {
-          // Recall that XORing with zero (which the FEC packets are prefilled
-          // with) is the identity operator, thus all prior XORs are
-          // still correct even though we expand the packet length here.
+          size_t old_size = fec_packet->data.size();
           fec_packet->data.SetSize(fec_packet_length);
+          memset(fec_packet->data.MutableData() + old_size, 0,
+                 fec_packet_length - old_size);
         }
         XorHeaders(*media_packet, fec_packet);
         XorPayloads(*media_packet, media_payload_length, fec_header_size,
@@ -619,7 +619,10 @@
   RTC_DCHECK_LE(kRtpHeaderSize + payload_length, src.data.size());
   RTC_DCHECK_LE(dst_offset + payload_length, dst->data.capacity());
   if (dst_offset + payload_length > dst->data.size()) {
-    dst->data.SetSize(dst_offset + payload_length);
+    size_t old_size = dst->data.size();
+    size_t new_size = dst_offset + payload_length;
+    dst->data.SetSize(new_size);
+    memset(dst->data.MutableData() + old_size, 0, new_size - old_size);
   }
   uint8_t* dst_data = dst->data.MutableData();
   const uint8_t* src_data = src.data.cdata();