From 865feabca9a65cd04b5004415e7976aed50b7c2a Mon Sep 17 00:00:00 2001 From: Danil Chapovalov Date: Wed, 11 Jul 2018 19:25:53 +0200 Subject: [PATCH] Fix buffer overflow in ulpfec recovery Bug: chromium:856823 Change-Id: I21fe21789ed3efbf71b5d3e234740a50c7911f6c Reviewed-on: https://webrtc-review.googlesource.com/88228 Reviewed-by: Rasmus Brandt Commit-Queue: Danil Chapovalov Cr-Commit-Position: refs/heads/master@{#23947} --- modules/rtp_rtcp/source/forward_error_correction.cc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/rtp_rtcp/source/forward_error_correction.cc b/modules/rtp_rtcp/source/forward_error_correction.cc index b743110b2d..d54f5d6892 100644 --- a/modules/rtp_rtcp/source/forward_error_correction.cc +++ b/modules/rtp_rtcp/source/forward_error_correction.cc @@ -609,8 +609,8 @@ void ForwardErrorCorrection::XorPayloads(const Packet& src, size_t dst_offset, Packet* dst) { // XOR the payload. - RTC_DCHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data)); - RTC_DCHECK_LE(dst_offset + payload_length, sizeof(dst->data)); + RTC_CHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data)); + RTC_CHECK_LE(dst_offset + payload_length, sizeof(dst->data)); for (size_t i = 0; i < payload_length; ++i) { dst->data[dst_offset + i] ^= src.data[kRtpHeaderSize + i]; } @@ -627,7 +627,8 @@ bool ForwardErrorCorrection::RecoverPacket(const ReceivedFecPacket& fec_packet, recovered_packet->seq_num = protected_packet->seq_num; } else { XorHeaders(*protected_packet->pkt, recovered_packet->pkt); - XorPayloads(*protected_packet->pkt, protected_packet->pkt->length, + XorPayloads(*protected_packet->pkt, + protected_packet->pkt->length - kRtpHeaderSize, kRtpHeaderSize, recovered_packet->pkt); } }