admin/webrtc_m130
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Fix buffer overflow in ulpfec recovery"

Browse Source 
This reverts commit 865feabca9a65cd04b5004415e7976aed50b7c2a.

Reason for revert: didn't fix the overlow

Original change's description:
> Fix buffer overflow in ulpfec recovery
> 
> Bug: chromium:856823
> Change-Id: I21fe21789ed3efbf71b5d3e234740a50c7911f6c
> Reviewed-on: https://webrtc-review.googlesource.com/88228
> Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
> Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
> Cr-Commit-Position: refs/heads/master@{#23947}

TBR=danilchap@webrtc.org,brandtr@webrtc.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: chromium:856823
Change-Id: I095b93ffa1754e1923ab58a7fa61575b6e2fd83a
Reviewed-on: https://webrtc-review.googlesource.com/88720
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23982}
This commit is contained in:
Danil Chapovalov 2018-07-16 12:01:40 +00:00 committed by Commit Bot
parent 01cee079dc
commit 3643aef89c
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
modules/rtp_rtcp/source/forward_error_correction.cc
View File

@ -609,8 +609,8 @@ void ForwardErrorCorrection::XorPayloads(const Packet& src,
size_t dst_offset,
Packet* dst) {
// XOR the payload.
RTC_CHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
RTC_CHECK_LE(dst_offset + payload_length, sizeof(dst->data));
RTC_DCHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
RTC_DCHECK_LE(dst_offset + payload_length, sizeof(dst->data));
for (size_t i = 0; i < payload_length; ++i) {
dst->data[dst_offset + i] ^= src.data[kRtpHeaderSize + i];
}
@ -627,8 +627,7 @@ bool ForwardErrorCorrection::RecoverPacket(const ReceivedFecPacket& fec_packet,
recovered_packet->seq_num = protected_packet->seq_num;
} else {
XorHeaders(*protected_packet->pkt, recovered_packet->pkt);
XorPayloads(*protected_packet->pkt,
protected_packet->pkt->length - kRtpHeaderSize,
XorPayloads(*protected_packet->pkt, protected_packet->pkt->length,
kRtpHeaderSize, recovered_packet->pkt);
}
}