From 51012dcb3e6ef5f59d5dcc001a00e2b087c44c97 Mon Sep 17 00:00:00 2001
From: Ilya Nikolaevskiy <ilnik@webrtc.org>
Date: Fri, 17 Jan 2020 14:15:27 +0100
Subject: [Backport] CVE-2020-6387 - Out of bounds write in WebRTC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/166441:
Add safety checks in RtpPacket::ZeroMutableExtensions and fuzz it

Bug: chromium:1042535
Change-Id: I9573ef438dc76782bb8d5ba06e79fc83611118f8
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
---
 chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
index 5f919ff24e1..544dfbf75d4 100644
--- a/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/chromium/third_party/webrtc/modules/rtp_rtcp/source/rtp_packet.cc
@@ -168,11 +168,11 @@ void RtpPacket::CopyAndZeroMutableExtensions(
         break;
       }
       case RTPExtensionType::kRtpExtensionVideoTiming: {
-        // Nullify 3 last entries: packetization delay and 2 network timestamps.
-        // Each of them is 2 bytes.
+        // Nullify last entries, starting at pacer delay.
+        // These are set by pacer and SFUs
         memset(buffer.data() + extension.offset +
                    VideoSendTiming::kPacerExitDeltaOffset,
-               0, 6);
+               0, extension.length - VideoSendTiming::kPacerExitDeltaOffset);
         break;
       }
       case RTPExtensionType::kRtpExtensionTransportSequenceNumber:
-- 
cgit v1.2.1