Fixing integer overflow when parsing bandwidth attribute.

It's still valid SDP so just clamp it at INT_MAX. BUG=chromium:648071 Review-Url: https://codereview.webrtc.org/2571073002 Cr-Commit-Position: refs/heads/master@{#15582}
2016-12-13 16:37:06 -08:00 · 2016-12-13 16:37:06 -08:00 · b236257763
commit b236257763
parent 9396a08077
2 changed files with 21 additions and 0 deletions
--- a/webrtc/api/webrtcsdp.cc
+++ b/webrtc/api/webrtcsdp.cc
@ -2641,6 +2641,8 @@ bool ParseContent(const std::string& message,
                        << cricket::kDataMaxBandwidth / 1000 << "kbps.";
            return ParseFailed(line, description.str(), error);
          }
+          // Prevent integer overflow.
+          b = std::min(b, INT_MAX / 1000);
          media_desc->set_bandwidth(b * 1000);
        }
      }
--- a/webrtc/api/webrtcsdp_unittest.cc
+++ b/webrtc/api/webrtcsdp_unittest.cc
@ -3319,3 +3319,22 @@ TEST_F(WebRtcSdpTest, DeserializeSctpPortInVideoDescription) {
  ExpectParseFailure(std::string(kSdpWithSctpPortInVideoDescription),
                     "sctp-port");
 }
+
+// Regression test for integer overflow bug:
+// https://bugs.chromium.org/p/chromium/issues/detail?id=648071
+TEST_F(WebRtcSdpTest, DeserializeLargeBandwidthLimit) {
+  JsepSessionDescription jdesc_output(kDummyString);
+
+  // Bandwidth attribute is the max signed 32-bit int, which will get
+  // multiplied by 1000 and cause int overflow if not careful.
+  const char kSdpWithLargeBandwidth[] =
+      "v=0\r\n"
+      "o=- 18446744069414584320 18446462598732840960 IN IP4 127.0.0.1\r\n"
+      "s=-\r\n"
+      "t=0 0\r\n"
+      "m=video 3457 RTP/SAVPF 120\r\n"
+      "b=AS:2147483647\r\n"
+      "foo=fail\r\n";
+
+  ExpectParseFailure(std::string(kSdpWithLargeBandwidth), "foo=fail");
+}