From f2eae333a2e42d20e92e7606bfca087fddcaaaa0 Mon Sep 17 00:00:00 2001
From: dkirovbroadsoft <dkirovbroadsoft@gmail.com>
Date: Fri, 6 May 2016 06:12:21 -0700
Subject: [PATCH] Corrected bug in checking the third number and added extra
 checks for memory protection.

BUG=webrtc:5454

Review-Url: https://codereview.webrtc.org/1615653009
Cr-Commit-Position: refs/heads/master@{#12643}
---
 .../channel_transport/udp_transport_impl.cc   | 25 +++++++++++++------
 1 file changed, 18 insertions(+), 7 deletions(-)

diff --git a/webrtc/test/channel_transport/udp_transport_impl.cc b/webrtc/test/channel_transport/udp_transport_impl.cc
index c7049aa8a2..897c808522 100644
--- a/webrtc/test/channel_transport/udp_transport_impl.cc
+++ b/webrtc/test/channel_transport/udp_transport_impl.cc
@@ -2922,6 +2922,10 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                 // Store index of dots and count number of dots.
                 iDotPos[nDots++] = i;
             }
+            else if (isdigit(ipadr[i]) == 0)
+            {
+                return false;
+            }
         }
 
         bool allUnder256 = false;
@@ -2942,7 +2946,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                 memset(nr,0,4);
                 strncpy(nr,&ipadr[0],iDotPos[0]);
                 int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                 {
                     break;
                 }
@@ -2956,7 +2960,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                 memset(nr,0,4);
                 strncpy(nr,&ipadr[iDotPos[0]+1], iDotPos[1] - iDotPos[0] - 1);
                 int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                     break;
             } else {
                 break;
@@ -2966,20 +2970,27 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
             {
                 char nr[4];
                 memset(nr,0,4);
-                strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[1] - iDotPos[0] - 1);
+                strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[2] - iDotPos[1] - 1);
                 int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                     break;
+            } else {
+                break;
+            }
 
+            if (len - iDotPos[2] <= 4)
+            {
+                char nr[4];
                 memset(nr,0,4);
                 strncpy(nr,&ipadr[iDotPos[2]+1], len - iDotPos[2] -1);
-                num = atoi(nr);
-                if (num > 255)
+                int32_t num = atoi(nr);
+                if (num > 255 || num < 0)
                     break;
                 else
                     allUnder256 = true;
-            } else
+            } else {
                 break;
+            }
         } while(false);
 
         if (nDots != 3 || !allUnder256)