Avoid overflows in the padding checks by doing the check slightly

differently. Add a unit test to check for correct behaviour.
2024-07-03 13:16:04 +00:00 · 2009-01-21 13:09:29 +01:00 · 2009-01-21 13:09:29 +01:00 · 9ce042e2a7
parent 28418d1fec
commit 9ce042e2a7
2 changed files with 24 additions and 2 deletions
--- a/gst-libs/gst/rtp/gstrtpbuffer.c
+++ b/gst-libs/gst/rtp/gstrtpbuffer.c
@ -345,8 +345,8 @@ gst_rtp_buffer_validate_data (guint8 * data, guint len)
  else
    padding = 0;

-  /* check if padding not bigger than packet and header */
-  if (G_UNLIKELY (len - header_len < padding))
+  /* check if padding and header not bigger than packet length */
+  if (G_UNLIKELY (len < padding + header_len))
    goto wrong_padding;

  return TRUE;
--- a/tests/check/libs/rtp.c
+++ b/tests/check/libs/rtp.c
@ -132,6 +132,27 @@ GST_START_TEST (test_rtp_buffer)

 GST_END_TEST;

+GST_START_TEST (test_rtp_buffer_validate_corrupt)
+{
+  GstBuffer *buf;
+  guint8 corrupt_rtp_packet[58] =
+  {
+    0x90, 0x7a, 0xbf, 0x28, 0x3a, 0x8a, 0x0a, 0xf4, 0x69, 0x6b, 0x76, 0xc0,
+    0x21, 0xe0, 0xe0, 0x60, 0x81, 0x10, 0x84, 0x30, 0x21, 0x52, 0x06, 0xc2,
+    0xb8, 0x30, 0x10, 0x4c, 0x08, 0x62, 0x67, 0xc2, 0x6e, 0x1a, 0x53, 0x3f,
+    0xaf, 0xd6, 0x1b, 0x29, 0x40, 0xe0, 0xa5, 0x83, 0x01, 0x4b, 0x04, 0x02,
+    0xb0, 0x97, 0x63, 0x08, 0x10, 0x4b, 0x43, 0x85, 0x37, 0x2c
+  };
+
+  buf = gst_buffer_new ();
+  GST_BUFFER_DATA (buf) = corrupt_rtp_packet;
+  GST_BUFFER_SIZE (buf) = sizeof (corrupt_rtp_packet);
+  fail_if (gst_rtp_buffer_validate (buf));
+  gst_buffer_unref (buf);
+}
+
+GST_END_TEST;
+
 GST_START_TEST (test_rtp_buffer_set_extension_data)
 {
  GstBuffer *buf;
@ -368,6 +389,7 @@ rtp_suite (void)

  suite_add_tcase (s, tc_chain);
  tcase_add_test (tc_chain, test_rtp_buffer);
+  tcase_add_test (tc_chain, test_rtp_buffer_validate_corrupt);
  tcase_add_test (tc_chain, test_rtp_buffer_set_extension_data);
  tcase_add_test (tc_chain, test_rtp_seqnum_compare);