commit 7a84fcf47a492d17ca20947e65b21a06b28e77cd
author Ying Wang <yinwa@webrtc.org> Fri May 18 11:48:58 2018
committer Commit Bot <commit-bot@chromium.org> Tue May 22 09:32:18 2018
tree 47f11e77779c477d1182a03ae52228c686ee12f2
parent 97cb90a440fc235c6fdc84a554cf57ccf934f9c0

Prevent potential buffer overflow in UlpfecReceiver

Bug: chromium:841962
Change-Id: I5ef0341a5fffe6b6204f5b2edbaec2d389a56964
Reviewed-on: https://webrtc-review.googlesource.com/77420
Commit-Queue: Ying Wang <yinwa@webrtc.org>
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23341}

modules/rtp_rtcp/source/ulpfec_receiver_impl.cc

diff --git a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
index 480e764..cb3e28b 100644
--- a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
+++ b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
@@ -80,7 +80,11 @@
         << "Received RED packet with different SSRC than expected; dropping.";
     return -1;
   }
-
+  if (packet_length > IP_PACKET_SIZE) {
+    RTC_LOG(LS_WARNING) << "Received RED packet with length exceeds maximum IP "
+                           "packet size; dropping.";
+    return -1;
+  }
   rtc::CritScope cs(&crit_sect_);
 
   uint8_t red_header_length = 1;
@@ -180,6 +184,7 @@
 
   } else if (received_packet->is_fec) {
     ++packet_counter_.num_fec_packets;
+
     // everything behind the RED header
     memcpy(received_packet->pkt->data,
            incoming_rtp_packet + header.headerLength + red_header_length,