From 6ebdf6b2cc0f3af30c95a085215cd05b91213a21 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Spr=C3=A5ng?= Date: Tue, 7 Jun 2016 18:01:21 +0200 Subject: [PATCH] Fix issue with parsing of incorrect (empty) Stap-A H264 NAL units. Stap-A packets should be ignored if NAL unit size is less than one, since that won't even fit the mandatory type header byte. BUG=chromium:617097 R=pbos@webrtc.org, stefan@webrtc.org Review URL: https://codereview.webrtc.org/2039353002 . Cr-Commit-Position: refs/heads/master@{#13057} --- .../rtp_rtcp/source/rtp_format_h264.cc | 5 ++++ .../source/rtp_format_h264_unittest.cc | 24 +++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc index 64a2a94b7e..24ebe769de 100644 --- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc +++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc @@ -403,6 +403,11 @@ bool RtpDepacketizerH264::ProcessStapAOrSingleNalu( // End offset is actually start offset for next unit, excluding length field // so remove that from this units length. size_t end_offset = nalu_start_offsets[i + 1] - kLengthFieldSize; + if (end_offset - start_offset < H264::kNaluTypeSize) { + LOG(LS_ERROR) << "STAP-A packet too short"; + return false; + } + nal_type = payload_data[start_offset] & kTypeMask; start_offset += H264::kNaluTypeSize; diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc index d4cffaea02..6729be419c 100644 --- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc +++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc @@ -569,6 +569,30 @@ TEST_F(RtpDepacketizerH264Test, TestStapANaluSpsWithResolution) { EXPECT_EQ(720u, payload.type.Video.height); } +TEST_F(RtpDepacketizerH264Test, TestEmptyStapARejected) { + uint8_t lone_empty_packet[] = {kStapA, 0x00, 0x00}; + + uint8_t leading_empty_packet[] = {kStapA, 0x00, 0x00, 0x00, 0x04, + kIdr, 0xFF, 0x00, 0x11}; + + uint8_t middle_empty_packet[] = {kStapA, 0x00, 0x03, kIdr, 0xFF, 0x00, 0x00, + 0x00, 0x00, 0x04, kIdr, 0xFF, 0x00, 0x11}; + + uint8_t trailing_empty_packet[] = {kStapA, 0x00, 0x03, kIdr, + 0xFF, 0x00, 0x00, 0x00}; + + RtpDepacketizer::ParsedPayload payload; + + EXPECT_FALSE(depacketizer_->Parse(&payload, lone_empty_packet, + sizeof(lone_empty_packet))); + EXPECT_FALSE(depacketizer_->Parse(&payload, leading_empty_packet, + sizeof(leading_empty_packet))); + EXPECT_FALSE(depacketizer_->Parse(&payload, middle_empty_packet, + sizeof(middle_empty_packet))); + EXPECT_FALSE(depacketizer_->Parse(&payload, trailing_empty_packet, + sizeof(trailing_empty_packet))); +} + TEST_F(RtpDepacketizerH264Test, DepacketizeWithRewriting) { rtc::Buffer in_buffer; rtc::Buffer out_buffer;