zqz/platform-external-webrtc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix buffer overflow in ulpfec recovery

Browse Source 
Bug: chromium:856823
Change-Id: I21fe21789ed3efbf71b5d3e234740a50c7911f6c
Reviewed-on: https://webrtc-review.googlesource.com/88228
Reviewed-by: Rasmus Brandt <brandtr@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23947}
This commit is contained in:
Danil Chapovalov
2018-07-11 19:25:53 +02:00
committed by Commit Bot
parent a715f28968
commit 865feabca9
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
modules/rtp_rtcp/source/forward_error_correction.cc
View File

@ -609,8 +609,8 @@ void ForwardErrorCorrection::XorPayloads(const Packet& src,
size_t dst_offset,
Packet* dst) {
// XOR the payload.
RTC_DCHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
RTC_DCHECK_LE(dst_offset + payload_length, sizeof(dst->data));
RTC_CHECK_LE(kRtpHeaderSize + payload_length, sizeof(src.data));
RTC_CHECK_LE(dst_offset + payload_length, sizeof(dst->data));
for (size_t i = 0; i < payload_length; ++i) {
dst->data[dst_offset + i] ^= src.data[kRtpHeaderSize + i];
}
@ -627,7 +627,8 @@ bool ForwardErrorCorrection::RecoverPacket(const ReceivedFecPacket& fec_packet,
recovered_packet->seq_num = protected_packet->seq_num;
} else {
XorHeaders(*protected_packet->pkt, recovered_packet->pkt);
XorPayloads(*protected_packet->pkt, protected_packet->pkt->length,
XorPayloads(*protected_packet->pkt,
protected_packet->pkt->length - kRtpHeaderSize,
kRtpHeaderSize, recovered_packet->pkt);
}
}