From fa31beb730714ca3180b211967e429299488b5c0 Mon Sep 17 00:00:00 2001 From: Roger Zanoni Date: Tue, 24 Jan 2023 10:23:52 +0000 Subject: [Backport] CVE-2023-0698: Out of bounds read in WebRTC (1/2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cherry-pick of patch originally reviewed on https://webrtc-review.googlesource.com/c/src/+/291109: Handle the case of missing certificates. M102 merge issues: No conflict but needed to reset the author of this commit to be able to upload it. Original author: Henrik Boström Certificates being missing is a sign of a bug (e.g. webrtc:14844, to be fixed separately) which is why we have a DCHECK. But this DCHECK does not protect against accessing the invalid iterator if it is a release build. This CL makes that safe. Bug: chromium:1408392 Change-Id: I97a82786028e41c58ef8ef15002c3f959bbec7f1 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/291109 Commit-Queue: Henrik Boström Cr-Commit-Position: refs/heads/main@{#39159} (cherry picked from commit 124d7c3fe5bdc79a355c9df02d07f25331631a68) Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460493 Reviewed-by: Allan Sandfeld Jensen --- chromium/third_party/webrtc/pc/rtc_stats_collector.cc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/chromium/third_party/webrtc/pc/rtc_stats_collector.cc b/chromium/third_party/webrtc/pc/rtc_stats_collector.cc index 79e6ad27b4b..81ba52a1193 100644 --- a/chromium/third_party/webrtc/pc/rtc_stats_collector.cc +++ b/chromium/third_party/webrtc/pc/rtc_stats_collector.cc @@ -2087,16 +2087,17 @@ void RTCStatsCollector::ProduceTransportStats_n( // exist. const auto& certificate_stats_it = transport_cert_stats.find(transport_name); + std::string local_certificate_id, remote_certificate_id; RTC_DCHECK(certificate_stats_it != transport_cert_stats.cend()); - std::string local_certificate_id; - if (certificate_stats_it->second.local) { - local_certificate_id = RTCCertificateIDFromFingerprint( - certificate_stats_it->second.local->fingerprint); - } - std::string remote_certificate_id; - if (certificate_stats_it->second.remote) { - remote_certificate_id = RTCCertificateIDFromFingerprint( - certificate_stats_it->second.remote->fingerprint); + if (certificate_stats_it != transport_cert_stats.cend()) { + if (certificate_stats_it->second.local) { + local_certificate_id = RTCCertificateIDFromFingerprint( + certificate_stats_it->second.local->fingerprint); + } + if (certificate_stats_it->second.remote) { + remote_certificate_id = RTCCertificateIDFromFingerprint( + certificate_stats_it->second.remote->fingerprint); + } } // There is one transport stats for each channel. -- cgit v1.2.1