Check old_vector_size prior to copying in RTPFragmentationHeader::Resize

Bug: webrtc:11739 Change-Id: Ifafa0f8f00cc97e3a332b4f615fb828d89199d5b Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/178500 Commit-Queue: Tommi <tommi@webrtc.org> Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org> Reviewed-by: Danil Chapovalov <danilchap@webrtc.org> Reviewed-by: Tommi <tommi@webrtc.org> Cr-Commit-Position: refs/heads/master@{#31704}
2020-07-10 11:31:39 -04:00 · 2020-07-10 11:31:39 -04:00 · 84a812e659
commit 84a812e659
parent 8df59bc74e
1 changed files with 22 additions and 19 deletions
--- a/modules/include/module_common_types.cc
+++ b/modules/include/module_common_types.cc
@ -90,25 +90,28 @@ void RTPFragmentationHeader::CopyFrom(const RTPFragmentationHeader& src) {
 void RTPFragmentationHeader::Resize(size_t size) {
  const uint16_t size16 = rtc::dchecked_cast<uint16_t>(size);
  if (fragmentationVectorSize < size16) {
-    uint16_t oldVectorSize = fragmentationVectorSize;
-    {
-      // offset
-      size_t* oldOffsets = fragmentationOffset;
-      fragmentationOffset = new size_t[size16];
-      memset(fragmentationOffset + oldVectorSize, 0,
-             sizeof(size_t) * (size16 - oldVectorSize));
-      // copy old values
-      memcpy(fragmentationOffset, oldOffsets, sizeof(size_t) * oldVectorSize);
-      delete[] oldOffsets;
-    }
-    // length
-    {
-      size_t* oldLengths = fragmentationLength;
-      fragmentationLength = new size_t[size16];
-      memset(fragmentationLength + oldVectorSize, 0,
-             sizeof(size_t) * (size16 - oldVectorSize));
-      memcpy(fragmentationLength, oldLengths, sizeof(size_t) * oldVectorSize);
-      delete[] oldLengths;
+    uint16_t old_vector_size = fragmentationVectorSize;
+    size_t* old_offsets = fragmentationOffset;
+    fragmentationOffset = new size_t[size16];
+    memset(fragmentationOffset + old_vector_size, 0,
+           sizeof(size_t) * (size16 - old_vector_size));
+    size_t* old_lengths = fragmentationLength;
+    fragmentationLength = new size_t[size16];
+    memset(fragmentationLength + old_vector_size, 0,
+           sizeof(size_t) * (size16 - old_vector_size));
+
+    // copy old values
+    if (old_vector_size > 0) {
+      if (old_offsets != nullptr) {
+        memcpy(fragmentationOffset, old_offsets,
+               sizeof(size_t) * old_vector_size);
+        delete[] old_offsets;
+      }
+      if (old_lengths != nullptr) {
+        memcpy(fragmentationLength, old_lengths,
+               sizeof(size_t) * old_vector_size);
+        delete[] old_lengths;
+      }
    }
    fragmentationVectorSize = size16;
  }