From 7a84fcf47a492d17ca20947e65b21a06b28e77cd Mon Sep 17 00:00:00 2001
From: Ying Wang <yinwa@webrtc.org>
Date: Fri, 18 May 2018 13:48:58 +0200
Subject: [PATCH] Prevent potential buffer overflow in UlpfecReceiver

Bug: chromium:841962
Change-Id: I5ef0341a5fffe6b6204f5b2edbaec2d389a56964
Reviewed-on: https://webrtc-review.googlesource.com/77420
Commit-Queue: Ying Wang <yinwa@webrtc.org>
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23341}
---
 modules/rtp_rtcp/source/ulpfec_receiver_impl.cc | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
index 480e764206..cb3e28bd46 100644
--- a/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
+++ b/modules/rtp_rtcp/source/ulpfec_receiver_impl.cc
@@ -80,7 +80,11 @@ int32_t UlpfecReceiverImpl::AddReceivedRedPacket(
         << "Received RED packet with different SSRC than expected; dropping.";
     return -1;
   }
-
+  if (packet_length > IP_PACKET_SIZE) {
+    RTC_LOG(LS_WARNING) << "Received RED packet with length exceeds maximum IP "
+                           "packet size; dropping.";
+    return -1;
+  }
   rtc::CritScope cs(&crit_sect_);
 
   uint8_t red_header_length = 1;
@@ -180,6 +184,7 @@ int32_t UlpfecReceiverImpl::AddReceivedRedPacket(
 
   } else if (received_packet->is_fec) {
     ++packet_counter_.num_fec_packets;
+
     // everything behind the RED header
     memcpy(received_packet->pkt->data,
            incoming_rtp_packet + header.headerLength + red_header_length,