From 48c3839e703f4186570590a9c7d966af6407d3ab Mon Sep 17 00:00:00 2001
From: pbos <pbos@webrtc.org>
Date: Tue, 30 Jun 2015 02:12:03 -0700
Subject: [PATCH] Prevent depacketizer OOB reads on zero-length VP8 payload.

BUG=webrtc:4771
R=stefan@webrtc.org

Review URL: https://codereview.webrtc.org/1221643009

Cr-Commit-Position: refs/heads/master@{#9520}
---
 webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc          | 4 ++++
 webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc
index 5202754caf..1dc799968d 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_vp8.cc
@@ -668,6 +668,10 @@ bool RtpDepacketizerVp8::Parse(ParsedPayload* parsed_payload,
                                const uint8_t* payload_data,
                                size_t payload_data_length) {
   assert(parsed_payload != NULL);
+  if (payload_data_length == 0) {
+    LOG(LS_ERROR) << "Empty payload.";
+    return false;
+  }
 
   // Parse mandatory first byte of payload descriptor.
   bool extension = (*payload_data & 0x80) ? true : false;               // X bit
diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc
index 804dc09038..4283a778d0 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_vp8_unittest.cc
@@ -596,4 +596,11 @@ TEST_F(RtpDepacketizerVp8Test, TestWithPacketizer) {
   EXPECT_EQ(payload.type.Video.codecHeader.VP8.layerSync,
             input_header.layerSync);
 }
+
+TEST_F(RtpDepacketizerVp8Test, TestEmptyPayload) {
+  // Using a wild pointer to crash on accesses from inside the depacketizer.
+  uint8_t* garbage_ptr = reinterpret_cast<uint8_t*>(0x4711);
+  RtpDepacketizer::ParsedPayload payload;
+  EXPECT_FALSE(depacketizer_->Parse(&payload, garbage_ptr, 0));
+}
 }  // namespace webrtc