From 01a25d81c14c44071c5db0c20c01ccfd97cdb5f0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= <olivier.crete@collabora.com>
Date: Thu, 13 Dec 2018 11:20:03 -0500
Subject: [PATCH] rtcpbuffer: Validate the length of RTCP packets

---
 gst-libs/gst/rtp/gstrtcpbuffer.c | 67 +++++++++++++++++++-------------
 1 file changed, 39 insertions(+), 28 deletions(-)

diff --git a/gst-libs/gst/rtp/gstrtcpbuffer.c b/gst-libs/gst/rtp/gstrtcpbuffer.c
index e1944e2763..25201d6982 100644
--- a/gst-libs/gst/rtp/gstrtcpbuffer.c
+++ b/gst-libs/gst/rtp/gstrtcpbuffer.c
@@ -374,6 +374,31 @@ gst_rtcp_buffer_get_packet_count (GstRTCPBuffer * rtcp)
   return count;
 }
 
+static gint
+rtcp_packet_min_length (GstRTCPType type)
+{
+  switch (type) {
+    case GST_RTCP_TYPE_SR:
+      return 28;
+    case GST_RTCP_TYPE_RR:
+      return 8;
+    case GST_RTCP_TYPE_SDES:
+      return 4;
+    case GST_RTCP_TYPE_BYE:
+      return 4;
+    case GST_RTCP_TYPE_APP:
+      return 12;
+    case GST_RTCP_TYPE_RTPFB:
+      return 12;
+    case GST_RTCP_TYPE_PSFB:
+      return 12;
+    case GST_RTCP_TYPE_XR:
+      return 8;
+    default:
+      return -1;
+  }
+}
+
 /**
  * read_packet_header:
  * @packet: a packet
@@ -388,6 +413,8 @@ read_packet_header (GstRTCPPacket * packet)
   guint8 *data;
   gsize maxsize;
   guint offset;
+  gint minsize;
+  guint minlength;
 
   g_return_val_if_fail (packet != NULL, FALSE);
 
@@ -418,6 +445,15 @@ read_packet_header (GstRTCPPacket * packet)
   if (offset + 4 + packet->length * 4 > maxsize)
     return FALSE;
 
+  minsize = rtcp_packet_min_length (packet->type);
+  if (minsize == -1)
+    minsize = 0;
+  minlength = (minsize - 4) >> 2;
+
+  /* Validate the size */
+  if (packet->length < minlength)
+    return FALSE;
+
   return TRUE;
 }
 
@@ -527,34 +563,9 @@ gst_rtcp_buffer_add_packet (GstRTCPBuffer * rtcp, GstRTCPType type,
   /* packet->offset is now pointing to the next free offset in the buffer to
    * start a compount packet. Next we figure out if we have enough free space in
    * the buffer to continue. */
-  switch (type) {
-    case GST_RTCP_TYPE_SR:
-      len = 28;
-      break;
-    case GST_RTCP_TYPE_RR:
-      len = 8;
-      break;
-    case GST_RTCP_TYPE_SDES:
-      len = 4;
-      break;
-    case GST_RTCP_TYPE_BYE:
-      len = 4;
-      break;
-    case GST_RTCP_TYPE_APP:
-      len = 12;
-      break;
-    case GST_RTCP_TYPE_RTPFB:
-      len = 12;
-      break;
-    case GST_RTCP_TYPE_PSFB:
-      len = 12;
-      break;
-    case GST_RTCP_TYPE_XR:
-      len = 8;
-      break;
-    default:
-      goto unknown_type;
-  }
+  len = rtcp_packet_min_length (type);
+  if (type == -1)
+    goto unknown_type;
   if (packet->offset + len >= maxsize)
     goto no_space;