Add safety checks in RtpPacket::ZeroMutableExtensions and fuzz it
Bug: chromium:1042535
Change-Id: I0f7ef1086631b5beb2e0c89d57534d2551289117
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166441
Reviewed-by: Niels Moller <nisse@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30303}
diff --git a/modules/rtp_rtcp/source/rtp_packet.cc b/modules/rtp_rtcp/source/rtp_packet.cc
index 27c940c..3d86a8c 100644
--- a/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/modules/rtp_rtcp/source/rtp_packet.cc
@@ -165,11 +165,13 @@
break;
}
case RTPExtensionType::kRtpExtensionVideoTiming: {
- // Nullify 3 last entries: packetization delay and 2 network timestamps.
- // Each of them is 2 bytes.
- memset(
- WriteAt(extension.offset + VideoSendTiming::kPacerExitDeltaOffset),
- 0, 6);
+ // Nullify last entries, starting at pacer delay.
+ // These are set by pacer and SFUs
+ if (VideoSendTiming::kPacerExitDeltaOffset < extension.length) {
+ memset(WriteAt(extension.offset +
+ VideoSendTiming::kPacerExitDeltaOffset),
+ 0, extension.length - VideoSendTiming::kPacerExitDeltaOffset);
+ }
break;
}
case RTPExtensionType::kRtpExtensionTransportSequenceNumber:
diff --git a/test/fuzzers/rtp_packet_fuzzer.cc b/test/fuzzers/rtp_packet_fuzzer.cc
index e256eec..25fec2c 100644
--- a/test/fuzzers/rtp_packet_fuzzer.cc
+++ b/test/fuzzers/rtp_packet_fuzzer.cc
@@ -156,5 +156,8 @@
break;
}
}
+
+ // Check that zero-ing mutable extensions wouldn't cause any problems.
+ packet.ZeroMutableExtensions();
}
} // namespace webrtc
