Prevent potential buffer overflow in UlpfecReceiver

Bug: chromium:841962 Change-Id: I5ef0341a5fffe6b6204f5b2edbaec2d389a56964 Reviewed-on: https://webrtc-review.googlesource.com/77420 Commit-Queue: Ying Wang <yinwa@webrtc.org> Reviewed-by: Rasmus Brandt <brandtr@webrtc.org> Reviewed-by: Danil Chapovalov <danilchap@webrtc.org> Cr-Commit-Position: refs/heads/master@{#23341}
2025-05-14 14:20:45 +01:00 · 2018-05-18 13:48:58 +02:00 · 2018-05-18 13:48:58 +02:00 · 7a84fcf47a
commit 7a84fcf47a
parent 97cb90a440
1 changed files with 6 additions and 1 deletions
--- a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
+++ b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
@ -80,7 +80,11 @@ int32_t UlpfecReceiverImpl::AddReceivedRedPacket(
        << "Received RED packet with different SSRC than expected; dropping.";
    return -1;
  }
-
+  if (packet_length > IP_PACKET_SIZE) {
+    RTC_LOG(LS_WARNING) << "Received RED packet with length exceeds maximum IP "
+                           "packet size; dropping.";
+    return -1;
+  }
  rtc::CritScope cs(&crit_sect_);

  uint8_t red_header_length = 1;
@ -180,6 +184,7 @@ int32_t UlpfecReceiverImpl::AddReceivedRedPacket(

  } else if (received_packet->is_fec) {
    ++packet_counter_.num_fec_packets;
+
    // everything behind the RED header
    memcpy(received_packet->pkt->data,
           incoming_rtp_packet + header.headerLength + red_header_length,