From d8a6e72057ec3ecc16833694f1ff6658f5f66db9 Mon Sep 17 00:00:00 2001
From: "solenberg@webrtc.org"
 <solenberg@webrtc.org@4adac7df-926f-26a2-2b94-8c16560cd09d>
Date: Tue, 26 Mar 2013 14:02:30 +0000
Subject: [PATCH] Fix potential buffer overrun when checking if a packet is
 RTCP. Also makes validation slightly more robust.

BUG=

Review URL: https://webrtc-codereview.appspot.com/1232005

git-svn-id: http://webrtc.googlecode.com/svn/trunk@3726 4adac7df-926f-26a2-2b94-8c16560cd09d
---
 webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
index 37df7d254a..08743b3b2a 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
@@ -45,6 +45,11 @@ namespace webrtc {
 
 namespace ModuleRTPUtility {
 
+enum {
+  kRtcpMinHeaderLength = 4,
+  kRtcpExpectedVersion = 2
+};
+
 /*
  * Time routines.
  */
@@ -269,11 +274,18 @@ bool RTPHeaderParser::RTCP() const {
   * FMT 15:    Application layer FB message
   */
 
+  const ptrdiff_t length = _ptrRTPDataEnd - _ptrRTPDataBegin;
+  if (length < kRtcpMinHeaderLength) {
+    return false;
+  }
+
+  const WebRtc_UWord8 V  = _ptrRTPDataBegin[0] >> 6;
+  if (V != kRtcpExpectedVersion) {
+    return false;
+  }
+
   const WebRtc_UWord8  payloadType = _ptrRTPDataBegin[1];
-
   bool RTCP = false;
-
-  // check if this is a RTCP packet
   switch (payloadType) {
     case 192:
       RTCP = true;