From: Will Miller Date: Mon, 12 Oct 2020 11:21:17 +0000 (+0100) Subject: gstrtpbuffer: fix header extension length validation X-Git-Tag: 1.19.3~511^2~407 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=ac72a6adaa08a013a52c62a2009c5ca67e47b21a;p=platform%2Fupstream%2Fgstreamer.git gstrtpbuffer: fix header extension length validation We validate the header extensions length of an RTP buffer by comparing it against the block size. Since we multiply the length in words by 4 to get the length in bytes, a suitably large length could cause a wrapround of the uint16, giving a lower length which erroneously passes the check and allows the buffer to be mapped. Part-of: --- diff --git a/gst-libs/gst/rtp/gstrtpbuffer.c b/gst-libs/gst/rtp/gstrtpbuffer.c index 3db9601be2..ae519f313c 100644 --- a/gst-libs/gst/rtp/gstrtpbuffer.c +++ b/gst-libs/gst/rtp/gstrtpbuffer.c @@ -369,7 +369,7 @@ gst_rtp_buffer_map (GstBuffer * buffer, GstMapFlags flags, GstRTPBuffer * rtp) /* calc extension length when present. */ if (data[0] & 0x10) { guint8 *extdata; - guint16 extlen; + gsize extlen; /* find memory for the extension bits, we find the block for the first 4 * bytes, all other extension bytes should also be in this block */ diff --git a/tests/check/libs/rtp.c b/tests/check/libs/rtp.c index de3aa8e25f..f5a13cdf6c 100644 --- a/tests/check/libs/rtp.c +++ b/tests/check/libs/rtp.c @@ -2152,6 +2152,29 @@ GST_START_TEST (test_rtcp_compound_padding) GST_END_TEST; +GST_START_TEST (test_rtp_buffer_extlen_wraparound) +{ + GstBuffer *buf; + guint8 rtp_test_buffer[] = { + 0x90, 0x7c, 0x18, 0xa6, /* |V=2|P|X|CC|M|PT|sequence number| */ + 0x7a, 0x62, 0x17, 0x0f, /* |timestamp| */ + 0x70, 0x23, 0x91, 0x38, /* |synchronization source (SSRC) identifier| */ + 0xbe, 0xde, 0x40, 0x01, /* |0xBE|0xDE|length=16385| */ + 0x00, 0x00, 0x00, 0x00, /* |0 (pad)|0 (pad)|0 (pad)|0 (pad)| */ + 0x00, 0x00, 0x00, 0x00, /* |0 (pad)|0 (pad)|0 (pad)|0 (pad)| */ + 0xff, 0xff, 0xff, 0xff /* |dummy payload| */ + }; + + GstRTPBuffer rtp = GST_RTP_BUFFER_INIT; + + buf = gst_buffer_new_and_alloc (sizeof (rtp_test_buffer)); + gst_buffer_fill (buf, 0, rtp_test_buffer, sizeof (rtp_test_buffer)); + fail_if (gst_rtp_buffer_map (buf, GST_MAP_READ, &rtp)); + gst_buffer_unref (buf); +} + +GST_END_TEST; + static Suite * rtp_suite (void) { @@ -2205,6 +2228,7 @@ rtp_suite (void) test_ext_timestamp_wraparound_disordered_cannot_unwrap); tcase_add_test (tc_chain, test_rtcp_compound_padding); + tcase_add_test (tc_chain, test_rtp_buffer_extlen_wraparound); return s; }