rtcpbuffer: prevent overflow of 16bit header length.

RTCP header can be  (2^16 + 1) * 4 bytes long, so when validating a bogus
packet it was possible to get a 16bit overflow resulting in a length of 0.
This would put the gst_rtcp_buffer_validate_data function in a endless loop.

https://bugzilla.gnome.org/show_bug.cgi?id=667313

diff --git a/gst-libs/gst/rtp/gstrtcpbuffer.c b/gst-libs/gst/rtp/gstrtcpbuffer.c
index fbd928c9220a1dacb0787b413a534a82d4be661b..539f76387510bccaa7b1f0d96cccac7c7d28557a 100644 (file)
--- a/gst-libs/gst/rtp/gstrtcpbuffer.c
+++ b/gst-libs/gst/rtp/gstrtcpbuffer.c
@@ -111,7 +111,7 @@ gboolean
 gst_rtcp_buffer_validate_data (guint8 * data, guint len)
 {
   guint16 header_mask;
-  guint16 header_len;
+  guint header_len;
   guint8 version;
   guint data_len;
   gboolean padding;