Prevent potential buffer overflow in UlpfecReceiver
Bug: chromium:841962
Change-Id: I5ef0341a5fffe6b6204f5b2edbaec2d389a56964
Reviewed-on: https://webrtc-review.googlesource.com/77420
Commit-Queue: Ying Wang <yinwa@webrtc.org>
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23341}
diff --git a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
index 480e764..cb3e28b 100644
--- a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
+++ b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
@@ -80,7 +80,11 @@
<< "Received RED packet with different SSRC than expected; dropping.";
return -1;
}
-
+ if (packet_length > IP_PACKET_SIZE) {
+ RTC_LOG(LS_WARNING) << "Received RED packet with length exceeds maximum IP "
+ "packet size; dropping.";
+ return -1;
+ }
rtc::CritScope cs(&crit_sect_);
uint8_t red_header_length = 1;
@@ -180,6 +184,7 @@
} else if (received_packet->is_fec) {
++packet_counter_.num_fec_packets;
+
// everything behind the RED header
memcpy(received_packet->pkt->data,
incoming_rtp_packet + header.headerLength + red_header_length,