Avoid overflow in checking for emulation bytes in rbsp.

Also fixed an arithmetic issue where a 0 0 3 at the end of the rbsp would include the 3 (that's not a legal bitstream anyway, so it probably wasn't a real bug, but it was incorrect). This maintains the underflow fix from an earlier CL (https://codereview.webrtc.org/1219493004/). The overflow fix is virtually impossible to hit (hence no unit tests), but is there for strict correctness. BUG= Review URL: https://codereview.webrtc.org/1226203002 Cr-Commit-Position: refs/heads/master@{#9581}
2015-07-14 10:45:02 -07:00
parent ba8c15b857
commit 43e7d3bc15
1 changed files with 5 additions and 1 deletions
--- a/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc
+++ b/webrtc/modules/rtp_rtcp/source/h264_sps_parser.cc
@ -36,7 +36,11 @@ bool H264SpsParser::Parse() {
  // section 7.3.1 of the H.264 standard.
  rtc::ByteBuffer rbsp_buffer;
  for (size_t i = 0; i < byte_length_;) {
-    if (i + 3 < byte_length_ && sps_[i] == 0 && sps_[i + 1] == 0 &&
+    // Be careful about over/underflow here. byte_length_ - 3 can underflow, and
+    // i + 3 can overflow, but byte_length_ - i can't, because i < byte_length_
+    // above, and that expression will produce the number of bytes left in
+    // the stream including the byte at i.
+    if (byte_length_ - i >= 3 && sps_[i] == 0 && sps_[i + 1] == 0 &&
        sps_[i + 2] == 3) {
      // Two rbsp bytes + the emulation byte.
      rbsp_buffer.WriteBytes(sps_bytes + i, 2);