Avoid overflows in the padding checks by doing the check slightly

differently.
Add a unit test to check for correct behaviour.

diff --git a/gst-libs/gst/rtp/gstrtpbuffer.c b/gst-libs/gst/rtp/gstrtpbuffer.c
index b4fe1ac..d199167 100644 (file)
--- a/gst-libs/gst/rtp/gstrtpbuffer.c
+++ b/gst-libs/gst/rtp/gstrtpbuffer.c
@@ -345,8 +345,8 @@ gst_rtp_buffer_validate_data (guint8 * data, guint len)
   else
     padding = 0;
 
-  /* check if padding not bigger than packet and header */
-  if (G_UNLIKELY (len - header_len < padding))
+  /* check if padding and header not bigger than packet length */
+  if (G_UNLIKELY (len < padding + header_len))
     goto wrong_padding;
 
   return TRUE;

diff --git a/tests/check/libs/rtp.c b/tests/check/libs/rtp.c
index bfc33ae..4f87f49 100644 (file)
--- a/tests/check/libs/rtp.c
+++ b/tests/check/libs/rtp.c
@@ -132,6 +132,27 @@ GST_START_TEST (test_rtp_buffer)
 
 GST_END_TEST;
 
+GST_START_TEST (test_rtp_buffer_validate_corrupt)
+{
+  GstBuffer *buf;
+  guint8 corrupt_rtp_packet[58] =
+  {
+    0x90, 0x7a, 0xbf, 0x28, 0x3a, 0x8a, 0x0a, 0xf4, 0x69, 0x6b, 0x76, 0xc0,
+    0x21, 0xe0, 0xe0, 0x60, 0x81, 0x10, 0x84, 0x30, 0x21, 0x52, 0x06, 0xc2,
+    0xb8, 0x30, 0x10, 0x4c, 0x08, 0x62, 0x67, 0xc2, 0x6e, 0x1a, 0x53, 0x3f,
+    0xaf, 0xd6, 0x1b, 0x29, 0x40, 0xe0, 0xa5, 0x83, 0x01, 0x4b, 0x04, 0x02,
+    0xb0, 0x97, 0x63, 0x08, 0x10, 0x4b, 0x43, 0x85, 0x37, 0x2c
+  };
+
+  buf = gst_buffer_new ();
+  GST_BUFFER_DATA (buf) = corrupt_rtp_packet;
+  GST_BUFFER_SIZE (buf) = sizeof (corrupt_rtp_packet);
+  fail_if (gst_rtp_buffer_validate (buf));
+  gst_buffer_unref (buf);
+}
+
+GST_END_TEST;
+
 GST_START_TEST (test_rtp_buffer_set_extension_data)
 {
   GstBuffer *buf;
@@ -368,6 +389,7 @@ rtp_suite (void)
 
   suite_add_tcase (s, tc_chain);
   tcase_add_test (tc_chain, test_rtp_buffer);
+  tcase_add_test (tc_chain, test_rtp_buffer_validate_corrupt);
   tcase_add_test (tc_chain, test_rtp_buffer_set_extension_data);
   tcase_add_test (tc_chain, test_rtp_seqnum_compare);