From a3ba0c7f5a347ec310ffa95efdf078950134abd5 Mon Sep 17 00:00:00 2001
From: Magnus Jedvert <magjed@webrtc.org>
Date: Thu, 21 May 2015 17:39:21 +0200
Subject: [PATCH] RTPFragmentationHeader::VerifyAndAllocateFragmentationHeader:
 Verify that size fits in 16 bits

This CL change the function declaration from uint16_t to size_t, and CHECKs that the size fits in uint16_t before proceeding.

BUG=484432
R=tommi@webrtc.org

Committed: https://crrev.com/10022cdeae785187e1d4329042b4ed294c393a16
Cr-Commit-Position: refs/heads/master@{#9246}

Review URL: https://webrtc-codereview.appspot.com/47229004

Cr-Commit-Position: refs/heads/master@{#9253}
---
 .../modules/interface/module_common_types.h   | 25 +++++++++++--------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/webrtc/modules/interface/module_common_types.h b/webrtc/modules/interface/module_common_types.h
index 825d7e6c4c..94492b4ab9 100644
--- a/webrtc/modules/interface/module_common_types.h
+++ b/webrtc/modules/interface/module_common_types.h
@@ -15,6 +15,7 @@
 #include <string.h>  // memcpy
 
 #include <algorithm>
+#include <limits>
 
 #include "webrtc/base/constructormagic.h"
 #include "webrtc/common_types.h"
@@ -193,15 +194,17 @@ class RTPFragmentationHeader {
     }
   }
 
-  void VerifyAndAllocateFragmentationHeader(const uint16_t size) {
-    if (fragmentationVectorSize < size) {
+  void VerifyAndAllocateFragmentationHeader(const size_t size) {
+    assert(size <= std::numeric_limits<uint16_t>::max());
+    const uint16_t size16 = static_cast<uint16_t>(size);
+    if (fragmentationVectorSize < size16) {
       uint16_t oldVectorSize = fragmentationVectorSize;
       {
         // offset
         size_t* oldOffsets = fragmentationOffset;
-        fragmentationOffset = new size_t[size];
+        fragmentationOffset = new size_t[size16];
         memset(fragmentationOffset + oldVectorSize, 0,
-               sizeof(size_t) * (size - oldVectorSize));
+               sizeof(size_t) * (size16 - oldVectorSize));
         // copy old values
         memcpy(fragmentationOffset, oldOffsets,
                sizeof(size_t) * oldVectorSize);
@@ -210,9 +213,9 @@ class RTPFragmentationHeader {
       // length
       {
         size_t* oldLengths = fragmentationLength;
-        fragmentationLength = new size_t[size];
+        fragmentationLength = new size_t[size16];
         memset(fragmentationLength + oldVectorSize, 0,
-               sizeof(size_t) * (size - oldVectorSize));
+               sizeof(size_t) * (size16 - oldVectorSize));
         memcpy(fragmentationLength, oldLengths,
                sizeof(size_t) * oldVectorSize);
         delete[] oldLengths;
@@ -220,9 +223,9 @@ class RTPFragmentationHeader {
       // time diff
       {
         uint16_t* oldTimeDiffs = fragmentationTimeDiff;
-        fragmentationTimeDiff = new uint16_t[size];
+        fragmentationTimeDiff = new uint16_t[size16];
         memset(fragmentationTimeDiff + oldVectorSize, 0,
-               sizeof(uint16_t) * (size - oldVectorSize));
+               sizeof(uint16_t) * (size16 - oldVectorSize));
         memcpy(fragmentationTimeDiff, oldTimeDiffs,
                sizeof(uint16_t) * oldVectorSize);
         delete[] oldTimeDiffs;
@@ -230,14 +233,14 @@ class RTPFragmentationHeader {
       // payload type
       {
         uint8_t* oldTimePlTypes = fragmentationPlType;
-        fragmentationPlType = new uint8_t[size];
+        fragmentationPlType = new uint8_t[size16];
         memset(fragmentationPlType + oldVectorSize, 0,
-               sizeof(uint8_t) * (size - oldVectorSize));
+               sizeof(uint8_t) * (size16 - oldVectorSize));
         memcpy(fragmentationPlType, oldTimePlTypes,
                sizeof(uint8_t) * oldVectorSize);
         delete[] oldTimePlTypes;
       }
-      fragmentationVectorSize = size;
+      fragmentationVectorSize = size16;
     }
   }