From: Wim Taymans Date: Wed, 21 Jan 2009 12:09:29 +0000 (+0100) Subject: Avoid overflows in the padding checks by doing the check slightly X-Git-Tag: RELEASE-0.10.23~365 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=9ce042e2a71deb20e83764daea5997f1450abcae;p=platform%2Fupstream%2Fgst-plugins-base.git Avoid overflows in the padding checks by doing the check slightly differently. Add a unit test to check for correct behaviour. --- diff --git a/gst-libs/gst/rtp/gstrtpbuffer.c b/gst-libs/gst/rtp/gstrtpbuffer.c index b4fe1ac..d199167 100644 --- a/gst-libs/gst/rtp/gstrtpbuffer.c +++ b/gst-libs/gst/rtp/gstrtpbuffer.c @@ -345,8 +345,8 @@ gst_rtp_buffer_validate_data (guint8 * data, guint len) else padding = 0; - /* check if padding not bigger than packet and header */ - if (G_UNLIKELY (len - header_len < padding)) + /* check if padding and header not bigger than packet length */ + if (G_UNLIKELY (len < padding + header_len)) goto wrong_padding; return TRUE; diff --git a/tests/check/libs/rtp.c b/tests/check/libs/rtp.c index bfc33ae..4f87f49 100644 --- a/tests/check/libs/rtp.c +++ b/tests/check/libs/rtp.c @@ -132,6 +132,27 @@ GST_START_TEST (test_rtp_buffer) GST_END_TEST; +GST_START_TEST (test_rtp_buffer_validate_corrupt) +{ + GstBuffer *buf; + guint8 corrupt_rtp_packet[58] = + { + 0x90, 0x7a, 0xbf, 0x28, 0x3a, 0x8a, 0x0a, 0xf4, 0x69, 0x6b, 0x76, 0xc0, + 0x21, 0xe0, 0xe0, 0x60, 0x81, 0x10, 0x84, 0x30, 0x21, 0x52, 0x06, 0xc2, + 0xb8, 0x30, 0x10, 0x4c, 0x08, 0x62, 0x67, 0xc2, 0x6e, 0x1a, 0x53, 0x3f, + 0xaf, 0xd6, 0x1b, 0x29, 0x40, 0xe0, 0xa5, 0x83, 0x01, 0x4b, 0x04, 0x02, + 0xb0, 0x97, 0x63, 0x08, 0x10, 0x4b, 0x43, 0x85, 0x37, 0x2c + }; + + buf = gst_buffer_new (); + GST_BUFFER_DATA (buf) = corrupt_rtp_packet; + GST_BUFFER_SIZE (buf) = sizeof (corrupt_rtp_packet); + fail_if (gst_rtp_buffer_validate (buf)); + gst_buffer_unref (buf); +} + +GST_END_TEST; + GST_START_TEST (test_rtp_buffer_set_extension_data) { GstBuffer *buf; @@ -368,6 +389,7 @@ rtp_suite (void) suite_add_tcase (s, tc_chain); tcase_add_test (tc_chain, test_rtp_buffer); + tcase_add_test (tc_chain, test_rtp_buffer_validate_corrupt); tcase_add_test (tc_chain, test_rtp_buffer_set_extension_data); tcase_add_test (tc_chain, test_rtp_seqnum_compare);