Bug 1325173 - read full RtpStreamId when parsing RTP header extensions. r?drno
MozReview-Commit-ID: 6zNwcL1SQTa
--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
@@ -492,20 +492,28 @@ void RtpHeaderParser::ParseOneByteExtens
}
case kRtpExtensionRtpStreamId: {
// 0 1 2
// 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
// | ID | L=? |UTF-8 RID value...... |...
// +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ // As per RFC 5285 section 4.2, len is the length of the header data - 1
+ // E.G. a len of 0 indicates a header data length of 1
+ if ( &ptr[len + 1] > ptrRTPDataExtensionEnd ) {
+ LOG(LS_WARNING) << "Extension RtpStreamId data length " << (len + 1)
+ << " is longer than remaining input parse buffer "
+ << static_cast<size_t>(ptrRTPDataExtensionEnd - ptr);
+ return;
+ }
// TODO(jesup) - avoid allocating on each packet - high watermark the RID buffer?
- char* ptrRID = new char[len+1];
- memcpy(ptrRID, ptr, len);
- ptrRID[len] = '\0';
+ char* ptrRID = new char[len + 2];
+ memcpy(ptrRID, ptr, len + 1);
+ ptrRID[len + 1] = '\0';
header.extension.rid = ptrRID;
header.extension.hasRID = true;
break;
}
default: {
LOG(LS_WARNING) << "Extension type not implemented: " << type;
return;
}