Fix infinite loop in rtp packet parsing
when rtp header extension is larger than 2^16 bytes
Bug: chromium:811613
Change-Id: I05b725d734dd628056d603b596d3523e827ddb54
Reviewed-on: https://webrtc-review.googlesource.com/52345
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Alex Loiko <aleloi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22003}diff --git a/modules/rtp_rtcp/source/rtp_packet.cc b/modules/rtp_rtcp/source/rtp_packet.cc
index dec797d..878942b 100644
--- a/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/modules/rtp_rtcp/source/rtp_packet.cc
@@ -336,10 +336,11 @@
extension_entry->offset = rtc::dchecked_cast<uint16_t>(
extensions_offset + extensions_size_ + kOneByteHeaderSize);
extension_entry->length = rtc::dchecked_cast<uint8_t>(length);
- extensions_size_ = rtc::dchecked_cast<uint16_t>(new_extensions_size);
+ extensions_size_ = new_extensions_size;
// Update header length field.
- uint16_t extensions_words = (extensions_size_ + 3) / 4; // Wrap up to 32bit.
+ uint16_t extensions_words = rtc::dchecked_cast<uint16_t>(
+ (extensions_size_ + 3) / 4); // Wrap up to 32bit.
ByteWriter<uint16_t>::WriteBigEndian(WriteAt(extensions_offset - 2),
extensions_words);
// Fill extension padding place with zeroes.
diff --git a/modules/rtp_rtcp/source/rtp_packet.h b/modules/rtp_rtcp/source/rtp_packet.h
index 8bdb8c6..313e00a 100644
--- a/modules/rtp_rtcp/source/rtp_packet.h
+++ b/modules/rtp_rtcp/source/rtp_packet.h
@@ -157,7 +157,7 @@
size_t payload_size_;
ExtensionInfo extension_entries_[kMaxExtensionHeaders];
- uint16_t extensions_size_ = 0; // Unaligned.
+ size_t extensions_size_ = 0; // Unaligned.
rtc::CopyOnWriteBuffer buffer_;
};
diff --git a/test/fuzzers/corpora/rtp-corpus/rtp-6 b/test/fuzzers/corpora/rtp-corpus/rtp-6
new file mode 100644
index 0000000..3a1145c
--- /dev/null
+++ b/test/fuzzers/corpora/rtp-corpus/rtp-6
Binary files differ
