From 84a812e659864f201b4c38374d58982f45228486 Mon Sep 17 00:00:00 2001
From: Dan Minor <dminor@webrtc.org>
Date: Fri, 10 Jul 2020 11:31:39 -0400
Subject: [PATCH] Check old_vector_size prior to copying in
 RTPFragmentationHeader::Resize

Bug: webrtc:11739
Change-Id: Ifafa0f8f00cc97e3a332b4f615fb828d89199d5b
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/178500
Commit-Queue: Tommi <tommi@webrtc.org>
Reviewed-by: Mirko Bonadei <mbonadei@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Reviewed-by: Tommi <tommi@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#31704}
---
 modules/include/module_common_types.cc | 41 ++++++++++++++------------
 1 file changed, 22 insertions(+), 19 deletions(-)

diff --git a/modules/include/module_common_types.cc b/modules/include/module_common_types.cc
index 86f753356d..a589312ec2 100644
--- a/modules/include/module_common_types.cc
+++ b/modules/include/module_common_types.cc
@@ -90,25 +90,28 @@ void RTPFragmentationHeader::CopyFrom(const RTPFragmentationHeader& src) {
 void RTPFragmentationHeader::Resize(size_t size) {
   const uint16_t size16 = rtc::dchecked_cast<uint16_t>(size);
   if (fragmentationVectorSize < size16) {
-    uint16_t oldVectorSize = fragmentationVectorSize;
-    {
-      // offset
-      size_t* oldOffsets = fragmentationOffset;
-      fragmentationOffset = new size_t[size16];
-      memset(fragmentationOffset + oldVectorSize, 0,
-             sizeof(size_t) * (size16 - oldVectorSize));
-      // copy old values
-      memcpy(fragmentationOffset, oldOffsets, sizeof(size_t) * oldVectorSize);
-      delete[] oldOffsets;
-    }
-    // length
-    {
-      size_t* oldLengths = fragmentationLength;
-      fragmentationLength = new size_t[size16];
-      memset(fragmentationLength + oldVectorSize, 0,
-             sizeof(size_t) * (size16 - oldVectorSize));
-      memcpy(fragmentationLength, oldLengths, sizeof(size_t) * oldVectorSize);
-      delete[] oldLengths;
+    uint16_t old_vector_size = fragmentationVectorSize;
+    size_t* old_offsets = fragmentationOffset;
+    fragmentationOffset = new size_t[size16];
+    memset(fragmentationOffset + old_vector_size, 0,
+           sizeof(size_t) * (size16 - old_vector_size));
+    size_t* old_lengths = fragmentationLength;
+    fragmentationLength = new size_t[size16];
+    memset(fragmentationLength + old_vector_size, 0,
+           sizeof(size_t) * (size16 - old_vector_size));
+
+    // copy old values
+    if (old_vector_size > 0) {
+      if (old_offsets != nullptr) {
+        memcpy(fragmentationOffset, old_offsets,
+               sizeof(size_t) * old_vector_size);
+        delete[] old_offsets;
+      }
+      if (old_lengths != nullptr) {
+        memcpy(fragmentationLength, old_lengths,
+               sizeof(size_t) * old_vector_size);
+        delete[] old_lengths;
+      }
     }
     fragmentationVectorSize = size16;
   }