diff --git a/talk/app/webrtc/webrtcsdp.cc b/talk/app/webrtc/webrtcsdp.cc index eeb6a3239..de45c0998 100644 --- a/talk/app/webrtc/webrtcsdp.cc +++ b/talk/app/webrtc/webrtcsdp.cc @@ -39,6 +39,7 @@ #include "talk/media/base/codec.h" #include "talk/media/base/constants.h" #include "talk/media/base/cryptoparams.h" +#include "talk/media/base/rtputils.h" #include "talk/media/sctp/sctpdataengine.h" #include "webrtc/p2p/base/candidate.h" #include "webrtc/p2p/base/constants.h" @@ -587,6 +588,14 @@ static bool GetValueFromString(const std::string& line, return true; } +static bool GetPayloadTypeFromString(const std::string& line, + const std::string& s, + int* payload_type, + SdpParseError* error) { + return GetValueFromString(line, s, payload_type, error) && + cricket::IsValidRtpPayloadType(*payload_type); +} + void CreateTracksFromSsrcInfos(const SsrcInfoVec& ssrc_infos, StreamParamsVec* tracks) { ASSERT(tracks != NULL); @@ -2206,7 +2215,7 @@ bool ParseMediaDescription(const std::string& message, } int pl = 0; - if (!GetValueFromString(line, fields[j], &pl, error)) { + if (!GetPayloadTypeFromString(line, fields[j], &pl, error)) { return false; } codec_preference.push_back(pl); @@ -2923,7 +2932,8 @@ bool ParseRtpmapAttribute(const std::string& line, return false; } int payload_type = 0; - if (!GetValueFromString(line, payload_type_value, &payload_type, error)) { + if (!GetPayloadTypeFromString(line, payload_type_value, &payload_type, + error)) { return false; } @@ -3061,7 +3071,7 @@ bool ParseFmtpAttributes(const std::string& line, const MediaType media_type, } int int_payload_type = 0; - if (!GetValueFromString(line, payload_type, &int_payload_type, error)) { + if (!GetPayloadTypeFromString(line, payload_type, &int_payload_type, error)) { return false; } if (media_type == cricket::MEDIA_TYPE_AUDIO) { @@ -3093,7 +3103,8 @@ bool ParseRtcpFbAttribute(const std::string& line, const MediaType media_type, } int payload_type = kWildcardPayloadType; if (payload_type_string != "*") { - if (!GetValueFromString(line, payload_type_string, &payload_type, error)) { + if (!GetPayloadTypeFromString(line, payload_type_string, &payload_type, + error)) { return false; } } diff --git a/talk/media/base/rtputils.cc b/talk/media/base/rtputils.cc index aaa76c053..7252cada0 100644 --- a/talk/media/base/rtputils.cc +++ b/talk/media/base/rtputils.cc @@ -176,7 +176,8 @@ bool SetRtpSsrc(void* data, size_t len, uint32 value) { // Assumes version 2, no padding, no extensions, no csrcs. bool SetRtpHeader(void* data, size_t len, const RtpHeader& header) { - if (header.payload_type >= 0x7F) { + if (!IsValidRtpPayloadType(header.payload_type) || + header.seq_num < 0 || header.seq_num > UINT16_MAX) { return false; } return (SetUint8(data, kRtpFlagsOffset, kRtpVersion << 6) && @@ -194,4 +195,8 @@ bool IsRtpPacket(const void* data, size_t len) { return (static_cast(data)[0] >> 6) == kRtpVersion; } +bool IsValidRtpPayloadType(int payload_type) { + return payload_type >= 0 && payload_type <= 127; +} + } // namespace cricket diff --git a/talk/media/base/rtputils.h b/talk/media/base/rtputils.h index fa055fa35..d6e1b4d87 100644 --- a/talk/media/base/rtputils.h +++ b/talk/media/base/rtputils.h @@ -67,6 +67,10 @@ bool SetRtpSsrc(void* data, size_t len, uint32 value); bool SetRtpHeader(void* data, size_t len, const RtpHeader& header); bool IsRtpPacket(const void* data, size_t len); + +// True if |payload type| is 0-127. +bool IsValidRtpPayloadType(int payload_type); + } // namespace cricket #endif // TALK_MEDIA_BASE_RTPUTILS_H_ diff --git a/talk/media/webrtc/webrtcvideoengine.cc b/talk/media/webrtc/webrtcvideoengine.cc index ed5a6267c..78246dcf6 100644 --- a/talk/media/webrtc/webrtcvideoengine.cc +++ b/talk/media/webrtc/webrtcvideoengine.cc @@ -1772,6 +1772,8 @@ bool WebRtcVideoMediaChannel::SetRecvCodecs( receive_codecs_.push_back(wcodec); int apt; if (iter->GetParam(cricket::kCodecParamAssociatedPayloadType, &apt)) { + if (!IsValidRtpPayloadType(apt)) + return false; associated_payload_types_[wcodec.plType] = apt; } } @@ -1808,6 +1810,8 @@ bool WebRtcVideoMediaChannel::SetSendCodecs( int rtx_type = iter->id; int rtx_primary_type = -1; if (iter->GetParam(kCodecParamAssociatedPayloadType, &rtx_primary_type)) { + if (!IsValidRtpPayloadType(rtx_primary_type)) + return false; primary_rtx_pt_mapping[rtx_primary_type] = rtx_type; } } else if (engine()->CanSendCodec(*iter, dummy_current, &checked_codec)) { diff --git a/talk/media/webrtc/webrtcvideoengine2.cc b/talk/media/webrtc/webrtcvideoengine2.cc index cb025f268..567a719c9 100644 --- a/talk/media/webrtc/webrtcvideoengine2.cc +++ b/talk/media/webrtc/webrtcvideoengine2.cc @@ -2105,9 +2105,11 @@ WebRtcVideoChannel2::MapCodecs(const std::vector& codecs) { case VideoCodec::CODEC_RTX: { int associated_payload_type; if (!in_codec.GetParam(kCodecParamAssociatedPayloadType, - &associated_payload_type)) { - LOG(LS_ERROR) << "RTX codec without associated payload type: " - << in_codec.ToString(); + &associated_payload_type) || + !IsValidRtpPayloadType(associated_payload_type)) { + LOG(LS_ERROR) + << "RTX codec with invalid or no associated payload type: " + << in_codec.ToString(); return std::vector(); } rtx_mapping[associated_payload_type] = in_codec.id; diff --git a/webrtc/voice_engine/test/win_test/WinTestDlg.cc b/webrtc/voice_engine/test/win_test/WinTestDlg.cc index b63b1d206..ea87a0d40 100644 --- a/webrtc/voice_engine/test/win_test/WinTestDlg.cc +++ b/webrtc/voice_engine/test/win_test/WinTestDlg.cc @@ -927,7 +927,7 @@ void CTelephonyEvent::OnBnClickedButtonSetRxTelephonePt() { BOOL ret; int pt = GetDlgItemInt(IDC_EDIT_EVENT_RX_PT, &ret); - if (ret == FALSE) + if (ret == FALSE || pt < 0 || pt > 127) return; CodecInst codec; strcpy_s(codec.plname, 32, "telephone-event"); @@ -940,7 +940,7 @@ void CTelephonyEvent::OnBnClickedButtonSetTxTelephonePt() { BOOL ret; int pt = GetDlgItemInt(IDC_EDIT_EVENT_TX_PT, &ret); - if (ret == FALSE) + if (ret == FALSE || pt < 0 || pt > 127) return; TEST2(_veDTMFPtr->SetSendTelephoneEventPayloadType(_channel, pt) == 0, _T("SetSendTelephoneEventPayloadType(channel=%d, type=%u)"), _channel, pt);