Google Git
Sign in
webrtc / src / afdbf8e6f881bda6cfe8c8c8c46f2167db8b0b05
commitafdbf8e6f881bda6cfe8c8c8c46f2167db8b0b05[log] [tgz]
authorChema Gonzalez <chemag@fb.com>Wed Jun 24 17:05:22 2020
committerCommit Bot <commit-bot@chromium.org>Wed Jun 24 21:54:45 2020
treec8079e22f4258751e997028226e2dba9f73ed4ce
parent603cc3a31e832565829a578b05036bd9def54796 [diff]
H264: Fix stap-a-to-annex-b loop over-read

While converting the aggregated (stap-a) packet transform packet
framing input into an annex-b framing copy, the two loops (both the
required size calculation and the stap-a-to-annex-b copy) may
over-read the input buffer.

In both buffers, `nalu_ptr` follows the input (stap-a) buffer, which
is located in `data`, and whose length is `data_size`. Buffer is read
until `nalu_ptr` reaches the end of the buffer. Issues is that the 5th
line in the loop:

```
    uint16_t segment_length = nalu_ptr[0] << 8 | nalu_ptr[1];
```

This line accesses `nalu_ptr[1]`, which needs to be protected in
the loop condition. Let's assume `data_size = 4`, and that we restart
the loop with `nalu_ptr = data + 3`. The condition of the loop does
hold (`nalu_ptr = data + 3 < data + data_size`), but the 5th line
will access to `data[3+1] = data[4]`, which is an over-read.

Tested:

```
$ ninja -C out/Default
$ out/Default/modules_unittests --gtest_filter=PacketBuffer*:H264*:RtpPacketizerH264Test*:VideoRtpDepacketizerH264Test*:TestH264SpsPpsTracker* --logs
...
[  PASSED  ] 97 tests.
```

Change-Id: I8b8aaf7d12b0bb154430b8922f099cd49e684762
Bug: webrtc:11698
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/177140
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Commit-Queue: Niklas Enbom <niklas.enbom@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#31561}
1 file changed
tree: c8079e22f4258751e997028226e2dba9f73ed4ce
  1. api/
  2. audio/
  3. build_overrides/
  4. call/
  5. common_audio/
  6. common_video/
  7. data/
  8. docs/
  9. examples/
  10. logging/
  11. media/
  12. modules/
  13. p2p/
  14. pc/
  15. resources/
  16. rtc_base/
  17. rtc_tools/
  18. sdk/
  19. stats/
  20. style-guide/
  21. system_wrappers/
  22. test/
  23. tools_webrtc/
  24. video/
  25. .clang-format
  26. .git-blame-ignore-revs
  27. .gitignore
  28. .gn
  29. .vpython
  30. abseil-in-webrtc.md
  31. AUTHORS
  32. BUILD.gn
  33. CODE_OF_CONDUCT.md
  34. codereview.settings
  35. common_types.h
  36. DEPS
  37. ENG_REVIEW_OWNERS
  38. LICENSE
  39. license_template.txt
  40. native-api.md
  41. OWNERS
  42. PATENTS
  43. PRESUBMIT.py
  44. presubmit_test.py
  45. presubmit_test_mocks.py
  46. pylintrc
  47. README.chromium
  48. README.md
  49. style-guide.md
  50. WATCHLISTS
  51. webrtc.gni
  52. webrtc_lib_link_test.cc
  53. whitespace.txt
README.md

WebRTC is a free, open software project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs. The WebRTC components have been optimized to best serve this purpose.

Our mission: To enable rich, high-quality RTC applications to be developed for the browser, mobile platforms, and IoT devices, and allow them all to communicate via a common set of protocols.

The WebRTC initiative is a project supported by Google, Mozilla and Opera, amongst others.

Development

See here for instructions on how to get started developing with the native code.

Authoritative list of directories that contain the native API header files.

More info