Prevent OOB reads for zero-length H264 payloads.
Also fixes zero-length OOB reads for generic packetization.
BUG=webrtc:4771
R=stefan@webrtc.org
Review URL: https://codereview.webrtc.org/1218013002
Cr-Commit-Position: refs/heads/master@{#9521}
diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
index ebd46b0..a5b42ab 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264.cc
@@ -10,6 +10,7 @@
#include <string.h>
+#include "webrtc/base/logging.h"
#include "webrtc/modules/interface/module_common_types.h"
#include "webrtc/modules/rtp_rtcp/source/byte_io.h"
#include "webrtc/modules/rtp_rtcp/source/h264_sps_parser.h"
@@ -316,6 +317,11 @@
const uint8_t* payload_data,
size_t payload_data_length) {
assert(parsed_payload != NULL);
+ if (payload_data_length == 0) {
+ LOG(LS_ERROR) << "Empty payload.";
+ return false;
+ }
+
uint8_t nal_type = payload_data[0] & kTypeMask;
size_t offset = 0;
if (nal_type == kFuA) {
diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc
index 66a19dd..8fa8301 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_h264_unittest.cc
@@ -537,4 +537,12 @@
EXPECT_EQ(kH264FuA, payload.type.Video.codecHeader.H264.packetization_type);
EXPECT_EQ(kIdr, payload.type.Video.codecHeader.H264.nalu_type);
}
+
+TEST_F(RtpDepacketizerH264Test, TestEmptyPayload) {
+ // Using a wild pointer to crash on accesses from inside the depacketizer.
+ uint8_t* garbage_ptr = reinterpret_cast<uint8_t*>(0x4711);
+ RtpDepacketizer::ParsedPayload payload;
+ EXPECT_FALSE(depacketizer_->Parse(&payload, garbage_ptr, 0));
+}
+
} // namespace webrtc
diff --git a/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc b/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc
index 1fa288a..39b64c6 100644
--- a/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc
+++ b/webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.cc
@@ -10,6 +10,7 @@
#include <string>
+#include "webrtc/base/logging.h"
#include "webrtc/modules/interface/module_common_types.h"
#include "webrtc/modules/rtp_rtcp/source/rtp_format_video_generic.h"
@@ -90,6 +91,10 @@
const uint8_t* payload_data,
size_t payload_data_length) {
assert(parsed_payload != NULL);
+ if (payload_data_length == 0) {
+ LOG(LS_ERROR) << "Empty payload.";
+ return false;
+ }
uint8_t generic_header = *payload_data++;
--payload_data_length;