From 4f74385b4f568df77055f99b04de41557ffd022a Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Mon, 2 Jan 2023 10:44:27 +0100
Subject: [PATCH] Zero memory for FEC recovered packets when size increases

rtc::CopyOnWriteBuffer::SetSize extends buffer with uninitialized memory by design.
It is up to the user of the rtc::CopyOnWriteBuffer to ensure it is initialized.

Bug: chromium:1404299
Change-Id: I41f3f91bf20ff440984d78ed81e01f5db36ff509
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/290400
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Per Kjellander <perkj@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#38972}
---
 modules/rtp_rtcp/source/forward_error_correction.cc | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/modules/rtp_rtcp/source/forward_error_correction.cc b/modules/rtp_rtcp/source/forward_error_correction.cc
index dbf6c361df..1462c2f481 100644
--- a/modules/rtp_rtcp/source/forward_error_correction.cc
+++ b/modules/rtp_rtcp/source/forward_error_correction.cc
@@ -225,10 +225,10 @@ void ForwardErrorCorrection::GenerateFecPayloads(
 
         size_t fec_packet_length = fec_header_size + media_payload_length;
         if (fec_packet_length > fec_packet->data.size()) {
-          // Recall that XORing with zero (which the FEC packets are prefilled
-          // with) is the identity operator, thus all prior XORs are
-          // still correct even though we expand the packet length here.
+          size_t old_size = fec_packet->data.size();
           fec_packet->data.SetSize(fec_packet_length);
+          memset(fec_packet->data.MutableData() + old_size, 0,
+                 fec_packet_length - old_size);
         }
         XorHeaders(*media_packet, fec_packet);
         XorPayloads(*media_packet, media_payload_length, fec_header_size,
@@ -619,7 +619,10 @@ void ForwardErrorCorrection::XorPayloads(const Packet& src,
   RTC_DCHECK_LE(kRtpHeaderSize + payload_length, src.data.size());
   RTC_DCHECK_LE(dst_offset + payload_length, dst->data.capacity());
   if (dst_offset + payload_length > dst->data.size()) {
-    dst->data.SetSize(dst_offset + payload_length);
+    size_t old_size = dst->data.size();
+    size_t new_size = dst_offset + payload_length;
+    dst->data.SetSize(new_size);
+    memset(dst->data.MutableData() + old_size, 0, new_size - old_size);
   }
   uint8_t* dst_data = dst->data.MutableData();
   const uint8_t* src_data = src.data.cdata();