commit 7e146cb97e27644691a8017fe252dfc184c03808
author deadbeef <deadbeef@webrtc.org> Wed Sep 28 17:04:34 2016
committer Commit bot <commit-bot@chromium.org> Wed Sep 28 17:04:41 2016
tree 67563e567146fa94100209df1480a66d9c84a782
parent 478681e1e6e6c5d66366672614d58b10ad7df083

Fixing heap read overflow when "sctp-port" is in a video description.

This added an SCTP codec, which is later re-interpreted as a video
codec. We shouldn't be adding codecs that don't match the type of the
media description.

BUG=chromium:648062

Review-Url: https://codereview.webrtc.org/2354723002
Cr-Commit-Position: refs/heads/master@{#14421}

webrtc/api/webrtcsdp_unittest.cc

diff --git a/webrtc/api/webrtcsdp_unittest.cc b/webrtc/api/webrtcsdp_unittest.cc
index 10ff0ae..1672268 100644
--- a/webrtc/api/webrtcsdp_unittest.cc
+++ b/webrtc/api/webrtcsdp_unittest.cc
@@ -3183,3 +3183,23 @@
   MakeUnifiedPlanDescription();
   TestSerialize(jdesc_, true);
 }
+
+// Regression test for heap overflow bug:
+// https://bugs.chromium.org/p/chromium/issues/detail?id=647916
+TEST_F(WebRtcSdpTest, DeserializeSctpPortInVideoDescription) {
+  JsepSessionDescription jdesc_output(kDummyString);
+
+  // The issue occurs when the sctp-port attribute is found in a video
+  // description. The actual heap overflow occurs when parsing the fmtp line.
+  const char kSdpWithSctpPortInVideoDescription[] =
+      "v=0\r\n"
+      "o=- 18446744069414584320 18446462598732840960 IN IP4 127.0.0.1\r\n"
+      "s=-\r\n"
+      "t=0 0\r\n"
+      "m=video 9 UDP/DTLS/SCTP 120\r\n"
+      "a=sctp-port 5000\r\n"
+      "a=fmtp:108 foo=10\r\n";
+
+  ExpectParseFailure(std::string(kSdpWithSctpPortInVideoDescription),
+                     "sctp-port");
+}