Fix for potential out of bounds reading in rtcp::RemoteEstimate parser.

packet_size() includes the size of padding, this means that the size
check might incorrectly not trigger even if the payload is empty. In
turn this means that the ReadBigEndian call might read out of bounds
memory.

Refactored the code to reuse the App parsing code more, eliminating
the risk of this particular kind of error.

Bug: chromium:987507
Change-Id: Id8f3e292c3d30460d3cdb551f0a45070fdf8f022
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/146716
Reviewed-by: Stefan Holmer <stefan@webrtc.org>
Commit-Queue: Sebastian Jansson <srte@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#28680}

modules/rtp_rtcp/source/rtcp_receiver.cc

@@ -698,11 +698,15 @@ void RTCPReceiver::HandleNack(const CommonHeader& rtcp_block,
 
 void RTCPReceiver::HandleApp(const rtcp::CommonHeader& rtcp_block,
                              PacketInformation* packet_information) {
-  if (rtcp::RemoteEstimate::IsNetworkEstimate(rtcp_block)) {
-    rtcp::RemoteEstimate estimate;
-    if (estimate.Parse(rtcp_block)) {
-      packet_information->network_state_estimate = estimate.estimate();
-      return;
+  rtcp::App app;
+  if (app.Parse(rtcp_block)) {
+    if (app.name() == rtcp::RemoteEstimate::kName &&
+        app.sub_type() == rtcp::RemoteEstimate::kSubType) {
+      rtcp::RemoteEstimate estimate(std::move(app));
+      if (estimate.ParseData()) {
+        packet_information->network_state_estimate = estimate.estimate();
+        return;
+      }
     }
   }
   ++num_skipped_packets_;