From 43e7d3bc150788045b549f4ab94a91095980d059 Mon Sep 17 00:00:00 2001 From: noahric Date: Tue, 14 Jul 2015 10:45:02 -0700 Subject: [PATCH] Avoid overflow in checking for emulation bytes in rbsp. Also fixed an arithmetic issue where a 0 0 3 at the end of the rbsp would include the 3 (that's not a legal bitstream anyway, so it probably wasn't a real bug, but it was incorrect). This maintains the underflow fix from an earlier CL (https://codereview.webrtc.org/1219493004/). The overflow fix is virtually impossible to hit (hence no unit tests), but is there for strict correctness. BUG= Review URL: https://codereview.webrtc.org/1226203002 Cr-Commit-Position: refs/heads/master@{#9581} --- webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc b/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc index 034e761dcd..d8f9afdd04 100644 --- a/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc +++ b/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc @@ -36,7 +36,11 @@ bool H264SpsParser::Parse() { // section 7.3.1 of the H.264 standard. rtc::ByteBuffer rbsp_buffer; for (size_t i = 0; i < byte_length_;) { - if (i + 3 < byte_length_ && sps_[i] == 0 && sps_[i + 1] == 0 && + // Be careful about over/underflow here. byte_length_ - 3 can underflow, and + // i + 3 can overflow, but byte_length_ - i can't, because i < byte_length_ + // above, and that expression will produce the number of bytes left in + // the stream including the byte at i. + if (byte_length_ - i >= 3 && sps_[i] == 0 && sps_[i + 1] == 0 && sps_[i + 2] == 3) { // Two rbsp bytes + the emulation byte. rbsp_buffer.WriteBytes(sps_bytes + i, 2);