RTPFragmentationHeader::VerifyAndAllocateFragmentationHeader: Verify that size fits in 16 bits

This CL change the function declaration from uint16_t to size_t, and CHECKs that the size fits in uint16_t before proceeding.

BUG=484432
R=tommi@webrtc.org

Committed: https://crrev.com/10022cdeae785187e1d4329042b4ed294c393a16
Cr-Commit-Position: refs/heads/master@{#9246}

Review URL: https://webrtc-codereview.appspot.com/47229004

Cr-Commit-Position: refs/heads/master@{#9253}
This commit is contained in:
Magnus Jedvert 2015-05-21 17:39:21 +02:00
parent 36a1438a66
commit a3ba0c7f5a

View File

@ -15,6 +15,7 @@
#include <string.h> // memcpy
#include <algorithm>
#include <limits>
#include "webrtc/base/constructormagic.h"
#include "webrtc/common_types.h"
@ -193,15 +194,17 @@ class RTPFragmentationHeader {
}
}
void VerifyAndAllocateFragmentationHeader(const uint16_t size) {
if (fragmentationVectorSize < size) {
void VerifyAndAllocateFragmentationHeader(const size_t size) {
assert(size <= std::numeric_limits<uint16_t>::max());
const uint16_t size16 = static_cast<uint16_t>(size);
if (fragmentationVectorSize < size16) {
uint16_t oldVectorSize = fragmentationVectorSize;
{
// offset
size_t* oldOffsets = fragmentationOffset;
fragmentationOffset = new size_t[size];
fragmentationOffset = new size_t[size16];
memset(fragmentationOffset + oldVectorSize, 0,
sizeof(size_t) * (size - oldVectorSize));
sizeof(size_t) * (size16 - oldVectorSize));
// copy old values
memcpy(fragmentationOffset, oldOffsets,
sizeof(size_t) * oldVectorSize);
@ -210,9 +213,9 @@ class RTPFragmentationHeader {
// length
{
size_t* oldLengths = fragmentationLength;
fragmentationLength = new size_t[size];
fragmentationLength = new size_t[size16];
memset(fragmentationLength + oldVectorSize, 0,
sizeof(size_t) * (size - oldVectorSize));
sizeof(size_t) * (size16 - oldVectorSize));
memcpy(fragmentationLength, oldLengths,
sizeof(size_t) * oldVectorSize);
delete[] oldLengths;
@ -220,9 +223,9 @@ class RTPFragmentationHeader {
// time diff
{
uint16_t* oldTimeDiffs = fragmentationTimeDiff;
fragmentationTimeDiff = new uint16_t[size];
fragmentationTimeDiff = new uint16_t[size16];
memset(fragmentationTimeDiff + oldVectorSize, 0,
sizeof(uint16_t) * (size - oldVectorSize));
sizeof(uint16_t) * (size16 - oldVectorSize));
memcpy(fragmentationTimeDiff, oldTimeDiffs,
sizeof(uint16_t) * oldVectorSize);
delete[] oldTimeDiffs;
@ -230,14 +233,14 @@ class RTPFragmentationHeader {
// payload type
{
uint8_t* oldTimePlTypes = fragmentationPlType;
fragmentationPlType = new uint8_t[size];
fragmentationPlType = new uint8_t[size16];
memset(fragmentationPlType + oldVectorSize, 0,
sizeof(uint8_t) * (size - oldVectorSize));
sizeof(uint8_t) * (size16 - oldVectorSize));
memcpy(fragmentationPlType, oldTimePlTypes,
sizeof(uint8_t) * oldVectorSize);
delete[] oldTimePlTypes;
}
fragmentationVectorSize = size;
fragmentationVectorSize = size16;
}
}