Add range checks in a variety of places where the values will subsequently be
expected to be 0-127.
BUG=none
TEST=none
R=juberti@webrtc.org
TBR=henrika
Review URL: https://webrtc-codereview.appspot.com/37759004
Cr-Commit-Position: refs/heads/master@{#8399}
git-svn-id: http://webrtc.googlecode.com/svn/trunk@8399 4adac7df-926f-26a2-2b94-8c16560cd09d
diff --git a/talk/app/webrtc/webrtcsdp.cc b/talk/app/webrtc/webrtcsdp.cc
index eeb6a32..de45c09 100644
--- a/talk/app/webrtc/webrtcsdp.cc
+++ b/talk/app/webrtc/webrtcsdp.cc
@@ -39,6 +39,7 @@
#include "talk/media/base/codec.h"
#include "talk/media/base/constants.h"
#include "talk/media/base/cryptoparams.h"
+#include "talk/media/base/rtputils.h"
#include "talk/media/sctp/sctpdataengine.h"
#include "webrtc/p2p/base/candidate.h"
#include "webrtc/p2p/base/constants.h"
@@ -587,6 +588,14 @@
return true;
}
+static bool GetPayloadTypeFromString(const std::string& line,
+ const std::string& s,
+ int* payload_type,
+ SdpParseError* error) {
+ return GetValueFromString(line, s, payload_type, error) &&
+ cricket::IsValidRtpPayloadType(*payload_type);
+}
+
void CreateTracksFromSsrcInfos(const SsrcInfoVec& ssrc_infos,
StreamParamsVec* tracks) {
ASSERT(tracks != NULL);
@@ -2206,7 +2215,7 @@
}
int pl = 0;
- if (!GetValueFromString(line, fields[j], &pl, error)) {
+ if (!GetPayloadTypeFromString(line, fields[j], &pl, error)) {
return false;
}
codec_preference.push_back(pl);
@@ -2923,7 +2932,8 @@
return false;
}
int payload_type = 0;
- if (!GetValueFromString(line, payload_type_value, &payload_type, error)) {
+ if (!GetPayloadTypeFromString(line, payload_type_value, &payload_type,
+ error)) {
return false;
}
@@ -3061,7 +3071,7 @@
}
int int_payload_type = 0;
- if (!GetValueFromString(line, payload_type, &int_payload_type, error)) {
+ if (!GetPayloadTypeFromString(line, payload_type, &int_payload_type, error)) {
return false;
}
if (media_type == cricket::MEDIA_TYPE_AUDIO) {
@@ -3093,7 +3103,8 @@
}
int payload_type = kWildcardPayloadType;
if (payload_type_string != "*") {
- if (!GetValueFromString(line, payload_type_string, &payload_type, error)) {
+ if (!GetPayloadTypeFromString(line, payload_type_string, &payload_type,
+ error)) {
return false;
}
}
diff --git a/talk/media/base/rtputils.cc b/talk/media/base/rtputils.cc
index aaa76c0..7252cad 100644
--- a/talk/media/base/rtputils.cc
+++ b/talk/media/base/rtputils.cc
@@ -176,7 +176,8 @@
// Assumes version 2, no padding, no extensions, no csrcs.
bool SetRtpHeader(void* data, size_t len, const RtpHeader& header) {
- if (header.payload_type >= 0x7F) {
+ if (!IsValidRtpPayloadType(header.payload_type) ||
+ header.seq_num < 0 || header.seq_num > UINT16_MAX) {
return false;
}
return (SetUint8(data, kRtpFlagsOffset, kRtpVersion << 6) &&
@@ -194,4 +195,8 @@
return (static_cast<const uint8*>(data)[0] >> 6) == kRtpVersion;
}
+bool IsValidRtpPayloadType(int payload_type) {
+ return payload_type >= 0 && payload_type <= 127;
+}
+
} // namespace cricket
diff --git a/talk/media/base/rtputils.h b/talk/media/base/rtputils.h
index fa055fa..d6e1b4d 100644
--- a/talk/media/base/rtputils.h
+++ b/talk/media/base/rtputils.h
@@ -67,6 +67,10 @@
bool SetRtpHeader(void* data, size_t len, const RtpHeader& header);
bool IsRtpPacket(const void* data, size_t len);
+
+// True if |payload type| is 0-127.
+bool IsValidRtpPayloadType(int payload_type);
+
} // namespace cricket
#endif // TALK_MEDIA_BASE_RTPUTILS_H_
diff --git a/talk/media/webrtc/webrtcvideoengine.cc b/talk/media/webrtc/webrtcvideoengine.cc
index ed5a626..78246dc 100644
--- a/talk/media/webrtc/webrtcvideoengine.cc
+++ b/talk/media/webrtc/webrtcvideoengine.cc
@@ -1772,6 +1772,8 @@
receive_codecs_.push_back(wcodec);
int apt;
if (iter->GetParam(cricket::kCodecParamAssociatedPayloadType, &apt)) {
+ if (!IsValidRtpPayloadType(apt))
+ return false;
associated_payload_types_[wcodec.plType] = apt;
}
}
@@ -1808,6 +1810,8 @@
int rtx_type = iter->id;
int rtx_primary_type = -1;
if (iter->GetParam(kCodecParamAssociatedPayloadType, &rtx_primary_type)) {
+ if (!IsValidRtpPayloadType(rtx_primary_type))
+ return false;
primary_rtx_pt_mapping[rtx_primary_type] = rtx_type;
}
} else if (engine()->CanSendCodec(*iter, dummy_current, &checked_codec)) {
diff --git a/talk/media/webrtc/webrtcvideoengine2.cc b/talk/media/webrtc/webrtcvideoengine2.cc
index cb025f2..567a719 100644
--- a/talk/media/webrtc/webrtcvideoengine2.cc
+++ b/talk/media/webrtc/webrtcvideoengine2.cc
@@ -2105,9 +2105,11 @@
case VideoCodec::CODEC_RTX: {
int associated_payload_type;
if (!in_codec.GetParam(kCodecParamAssociatedPayloadType,
- &associated_payload_type)) {
- LOG(LS_ERROR) << "RTX codec without associated payload type: "
- << in_codec.ToString();
+ &associated_payload_type) ||
+ !IsValidRtpPayloadType(associated_payload_type)) {
+ LOG(LS_ERROR)
+ << "RTX codec with invalid or no associated payload type: "
+ << in_codec.ToString();
return std::vector<VideoCodecSettings>();
}
rtx_mapping[associated_payload_type] = in_codec.id;
diff --git a/webrtc/voice_engine/test/win_test/WinTestDlg.cc b/webrtc/voice_engine/test/win_test/WinTestDlg.cc
index b63b1d2..ea87a0d 100644
--- a/webrtc/voice_engine/test/win_test/WinTestDlg.cc
+++ b/webrtc/voice_engine/test/win_test/WinTestDlg.cc
@@ -927,7 +927,7 @@
{
BOOL ret;
int pt = GetDlgItemInt(IDC_EDIT_EVENT_RX_PT, &ret);
- if (ret == FALSE)
+ if (ret == FALSE || pt < 0 || pt > 127)
return;
CodecInst codec;
strcpy_s(codec.plname, 32, "telephone-event");
@@ -940,7 +940,7 @@
{
BOOL ret;
int pt = GetDlgItemInt(IDC_EDIT_EVENT_TX_PT, &ret);
- if (ret == FALSE)
+ if (ret == FALSE || pt < 0 || pt > 127)
return;
TEST2(_veDTMFPtr->SetSendTelephoneEventPayloadType(_channel, pt) == 0,
_T("SetSendTelephoneEventPayloadType(channel=%d, type=%u)"), _channel, pt);
