summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorIlya Nikolaevskiy <ilnik@webrtc.org>2020-01-17 14:15:27 +0100
committerMichael Brüning <michael.bruning@qt.io>2020-03-05 14:09:50 +0000
commit51012dcb3e6ef5f59d5dcc001a00e2b087c44c97 (patch)
tree4d8c71480d42dd50611f599c8bd4ef014abf3c99
parentda60616b9692a7885ac2b24f1fa584d18478cbe7 (diff)
downloadqtwebengine-chromium-51012dcb3e6ef5f59d5dcc001a00e2b087c44c97.tar.gz
[Backport] CVE-2020-6387 - Out of bounds write in WebRTC
Manual backport of patch originally reviewed on https://webrtc-review.googlesource.com/c/src/+/166441: Add safety checks in RtpPacket::ZeroMutableExtensions and fuzz it Bug: chromium:1042535 Change-Id: I9573ef438dc76782bb8d5ba06e79fc83611118f8 Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat
-rw-r--r--chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc6
1 files changed, 3 insertions, 3 deletions
diff --git a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
index 5f919ff24e1..544dfbf75d4 100644
--- a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
@@ -168,11 +168,11 @@ void RtpPacket::CopyAndZeroMutableExtensions(
break;
}
case RTPExtensionType::kRtpExtensionVideoTiming: {
- // Nullify 3 last entries: packetization delay and 2 network timestamps.
- // Each of them is 2 bytes.
+ // Nullify last entries, starting at pacer delay.
+ // These are set by pacer and SFUs
memset(buffer.data() + extension.offset +
VideoSendTiming::kPacerExitDeltaOffset,
- 0, 6);
+ 0, extension.length - VideoSendTiming::kPacerExitDeltaOffset);
break;
}
case RTPExtensionType::kRtpExtensionTransportSequenceNumber:
View Lorry Controller Status