From c0ae305a9ec2652214ca9782be35eb902b81345d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Peter=20Bostr=C3=B6m?= Date: Mon, 8 Feb 2016 15:00:16 +0100 Subject: [PATCH] Fix null-pointer dereference in RTPSenderVideo. Since the address of the dereference is taken this inputs a garbage almost-null pointer into RtpPacketizer. Not likely that a load/store is performed on the address, but UBSan fires and it's a source of potential future errors. BUG=webrtc:5124, webrtc:5490 R=stefan@webrtc.org Review URL: https://codereview.webrtc.org/1677003002 . Cr-Commit-Position: refs/heads/master@{#11528} --- webrtc/modules/rtp_rtcp/source/rtp_sender_video.cc | 14 +++++++------- webrtc/modules/rtp_rtcp/source/rtp_sender_video.h | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/webrtc/modules/rtp_rtcp/source/rtp_sender_video.cc b/webrtc/modules/rtp_rtcp/source/rtp_sender_video.cc index 5a565dfa99..55cd64781a 100644 --- a/webrtc/modules/rtp_rtcp/source/rtp_sender_video.cc +++ b/webrtc/modules/rtp_rtcp/source/rtp_sender_video.cc @@ -230,14 +230,14 @@ int32_t RTPSenderVideo::SendVideo(const RtpVideoCodecTypes videoType, const uint8_t* payloadData, const size_t payloadSize, const RTPFragmentationHeader* fragmentation, - const RTPVideoHeader* rtpHdr) { + const RTPVideoHeader* video_header) { if (payloadSize == 0) { return -1; } - rtc::scoped_ptr packetizer( - RtpPacketizer::Create(videoType, _rtpSender.MaxDataPayloadLength(), - &(rtpHdr->codecHeader), frameType)); + rtc::scoped_ptr packetizer(RtpPacketizer::Create( + videoType, _rtpSender.MaxDataPayloadLength(), + video_header ? &(video_header->codecHeader) : nullptr, frameType)); StorageType storage; bool fec_enabled; @@ -253,7 +253,7 @@ int32_t RTPSenderVideo::SendVideo(const RtpVideoCodecTypes videoType, // Register CVO rtp header extension at the first time when we receive a frame // with pending rotation. RTPSenderInterface::CVOMode cvo_mode = RTPSenderInterface::kCVONone; - if (rtpHdr && rtpHdr->rotation != kVideoRotation_0) { + if (video_header && video_header->rotation != kVideoRotation_0) { cvo_mode = _rtpSender.ActivateCVORtpHeaderExtension(); } @@ -292,7 +292,7 @@ int32_t RTPSenderVideo::SendVideo(const RtpVideoCodecTypes videoType, // (e.g. a P-Frame) only if the current value is different from the previous // value sent. // Here we are adding it to every packet of every frame at this point. - if (!rtpHdr) { + if (!video_header) { RTC_DCHECK(!_rtpSender.IsRtpHeaderExtensionRegistered( kRtpExtensionVideoRotation)); } else if (cvo_mode == RTPSenderInterface::kCVOActivated) { @@ -306,7 +306,7 @@ int32_t RTPSenderVideo::SendVideo(const RtpVideoCodecTypes videoType, RTPHeader rtp_header; rtp_parser.Parse(&rtp_header); _rtpSender.UpdateVideoRotation(dataBuffer, packetSize, rtp_header, - rtpHdr->rotation); + video_header->rotation); } if (fec_enabled) { SendVideoPacketAsRed(dataBuffer, payload_bytes_in_packet, diff --git a/webrtc/modules/rtp_rtcp/source/rtp_sender_video.h b/webrtc/modules/rtp_rtcp/source/rtp_sender_video.h index e59321ab93..74c3b058ca 100644 --- a/webrtc/modules/rtp_rtcp/source/rtp_sender_video.h +++ b/webrtc/modules/rtp_rtcp/source/rtp_sender_video.h @@ -52,7 +52,7 @@ class RTPSenderVideo { const uint8_t* payloadData, const size_t payloadSize, const RTPFragmentationHeader* fragmentation, - const RTPVideoHeader* rtpHdr); + const RTPVideoHeader* video_header); int32_t SendRTPIntraRequest();