Fix infinite loop in rtp packet parsing

when rtp header extension is larger than 2^16 bytes Bug: chromium:811613 Change-Id: I05b725d734dd628056d603b596d3523e827ddb54 Reviewed-on: https://webrtc-review.googlesource.com/52345 Commit-Queue: Danil Chapovalov <danilchap@webrtc.org> Reviewed-by: Alex Loiko <aleloi@webrtc.org> Cr-Commit-Position: refs/heads/master@{#22003}
2018-02-13 13:55:30 +01:00 · 2018-02-13 13:55:30 +01:00 · 61405bcb19
commit 61405bcb19
parent fdd4400ef4
3 changed files with 4 additions and 3 deletions
--- a/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/modules/rtp_rtcp/source/rtp_packet.cc
@ -336,10 +336,11 @@ rtc::ArrayView<uint8_t> RtpPacket::AllocateRawExtension(int id, size_t length) {
  extension_entry->offset = rtc::dchecked_cast<uint16_t>(
      extensions_offset + extensions_size_ + kOneByteHeaderSize);
  extension_entry->length = rtc::dchecked_cast<uint8_t>(length);
-  extensions_size_ = rtc::dchecked_cast<uint16_t>(new_extensions_size);
+  extensions_size_ = new_extensions_size;

  // Update header length field.
-  uint16_t extensions_words = (extensions_size_ + 3) / 4;  // Wrap up to 32bit.
+  uint16_t extensions_words = rtc::dchecked_cast<uint16_t>(
+      (extensions_size_ + 3) / 4);  // Wrap up to 32bit.
  ByteWriter<uint16_t>::WriteBigEndian(WriteAt(extensions_offset - 2),
                                       extensions_words);
  // Fill extension padding place with zeroes.
--- a/modules/rtp_rtcp/source/rtp_packet.h
+++ b/modules/rtp_rtcp/source/rtp_packet.h
@ -157,7 +157,7 @@ class RtpPacket {
  size_t payload_size_;

  ExtensionInfo extension_entries_[kMaxExtensionHeaders];
-  uint16_t extensions_size_ = 0;  // Unaligned.
+  size_t extensions_size_ = 0;  // Unaligned.
  rtc::CopyOnWriteBuffer buffer_;
 };

--- a/test/fuzzers/corpora/rtp-corpus/rtp-6
+++ b/test/fuzzers/corpora/rtp-corpus/rtp-6