Bug 1324608: restrict RID len. r?ng
MozReview-Commit-ID: 9iA0s4EmGow
--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_sender.cc
+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_sender.cc
@@ -1426,17 +1426,22 @@ uint8_t RTPSender::BuildRIDExtension(
rtp_header_extension_map_.GetId(kRtpExtensionRtpStreamId,
&id) != 0) {
// No RtpStreamId or not registered
return 0;
}
size_t pos = 0;
// RID value is not null-terminated in header, so no +1
const uint8_t len = strlen(rid_);
- data_buffer[pos++] = (id << 4) + len;
+ if (len > 16 || len == 0) {
+ LOG(LS_ERROR) << "Failed to add RID header because of unsupported RID"
+ " length: " << len;
+ return 0;
+ }
+ data_buffer[pos++] = (id << 4) + (len - 1);
memcpy(data_buffer + pos, rid_, len);
pos += len;
return pos;
}
bool RTPSender::FindHeaderExtensionPosition(RTPExtensionType type,
const uint8_t* rtp_packet,
size_t rtp_packet_length,