From 30a3a751a68f1a076fb28f3ab55e4be80c2dfac5 Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Thu, 16 Jun 2016 15:57:15 +0200
Subject: [PATCH] Fix buffer overflow parsing malformed rtp packet that has
 one-byte length extension going past extensions block

BUG=chromium:620277
R=asapersson@webrtc.org

Review URL: https://codereview.webrtc.org/2064403002 .

Cr-Commit-Position: refs/heads/master@{#13168}
---
 webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
index 131b54ad50..e38b3a3b43 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
@@ -323,6 +323,13 @@ void RtpHeaderParser::ParseOneByteExtensionHeader(
       return;
     }
 
+    if (ptrRTPDataExtensionEnd - ptr < (len + 1)) {
+      LOG(LS_WARNING) << "Incorrect one-byte extension len: " << (len + 1)
+                      << ", bytes left in buffer: "
+                      << (ptrRTPDataExtensionEnd - ptr);
+      return;
+    }
+
     RTPExtensionType type;
     if (ptrExtensionMap->GetType(id, &type) != 0) {
       // If we encounter an unknown extension, just skip over it.