diff options
author | Ilya Nikolaevskiy <ilnik@webrtc.org> | 2020-01-17 14:15:27 +0100 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 14:09:50 +0000 |
commit | 51012dcb3e6ef5f59d5dcc001a00e2b087c44c97 (patch) | |
tree | 4d8c71480d42dd50611f599c8bd4ef014abf3c99 | |
parent | da60616b9692a7885ac2b24f1fa584d18478cbe7 (diff) | |
download | qtwebengine-chromium-51012dcb3e6ef5f59d5dcc001a00e2b087c44c97.tar.gz |
[Backport] CVE-2020-6387 - Out of bounds write in WebRTC
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/166441:
Add safety checks in RtpPacket::ZeroMutableExtensions and fuzz it
Bug: chromium:1042535
Change-Id: I9573ef438dc76782bb8d5ba06e79fc83611118f8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc index 5f919ff24e1..544dfbf75d4 100644 --- a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc +++ b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc @@ -168,11 +168,11 @@ void RtpPacket::CopyAndZeroMutableExtensions( break; } case RTPExtensionType::kRtpExtensionVideoTiming: { - // Nullify 3 last entries: packetization delay and 2 network timestamps. - // Each of them is 2 bytes. + // Nullify last entries, starting at pacer delay. + // These are set by pacer and SFUs memset(buffer.data() + extension.offset + VideoSendTiming::kPacerExitDeltaOffset, - 0, 6); + 0, extension.length - VideoSendTiming::kPacerExitDeltaOffset); break; } case RTPExtensionType::kRtpExtensionTransportSequenceNumber: |