Prevent OOB reads for zero-length H264 payloads.

Also fixes zero-length OOB reads for generic packetization. BUG=webrtc:4771 R=stefan@webrtc.org Review URL: https://codereview.webrtc.org/1218013002 Cr-Commit-Position: refs/heads/master@{#9521}
2015-06-30 05:09:39 -07:00 · 2015-06-30 05:09:39 -07:00 · 7ada923a94
commit 7ada923a94
parent 48c3839e70
3 changed files with 19 additions and 0 deletions
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
@ -10,6 +10,7 @@

 #include <string.h>

+#include "webrtc/base/logging.h"
 #include "webrtc/modules/interface/module_common_types.h"
 #include "webrtc/modules/rtp_rtcp/source/byte_io.h"
 #include "webrtc/modules/rtp_rtcp/source/h264_sps_parser.h"
@ -316,6 +317,11 @@ bool RtpDepacketizerH264::Parse(ParsedPayload* parsed_payload,
                                const uint8_t* payload_data,
                                size_t payload_data_length) {
  assert(parsed_payload != NULL);
+  if (payload_data_length == 0) {
+    LOG(LS_ERROR) << "Empty payload.";
+    return false;
+  }
+
  uint8_t nal_type = payload_data[0] & kTypeMask;
  size_t offset = 0;
  if (nal_type == kFuA) {
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc
@ -537,4 +537,12 @@ TEST_F(RtpDepacketizerH264Test, TestFuA) {
  EXPECT_EQ(kH264FuA, payload.type.Video.codecHeader.H264.packetization_type);
  EXPECT_EQ(kIdr, payload.type.Video.codecHeader.H264.nalu_type);
 }
+
+TEST_F(RtpDepacketizerH264Test, TestEmptyPayload) {
+  // Using a wild pointer to crash on accesses from inside the depacketizer.
+  uint8_t* garbage_ptr = reinterpret_cast<uint8_t*>(0x4711);
+  RtpDepacketizer::ParsedPayload payload;
+  EXPECT_FALSE(depacketizer_->Parse(&payload, garbage_ptr, 0));
+}
+
 }  // namespace webrtc
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc
@ -10,6 +10,7 @@

 #include <string>

+#include "webrtc/base/logging.h"
 #include "webrtc/modules/interface/module_common_types.h"
 #include "webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.h"

@ -90,6 +91,10 @@ bool RtpDepacketizerGeneric::Parse(ParsedPayload* parsed_payload,
                                   const uint8_t* payload_data,
                                   size_t payload_data_length) {
  assert(parsed_payload != NULL);
+  if (payload_data_length == 0) {
+    LOG(LS_ERROR) << "Empty payload.";
+    return false;
+  }

  uint8_t generic_header = *payload_data++;
  --payload_data_length;