mirror of
https://gitlab.freedesktop.org/gstreamer/gstreamer.git
synced 2024-10-03 01:02:19 +00:00
gstrtpbuffer: fix header extension length validation
We validate the header extensions length of an RTP buffer by comparing it against the block size. Since we multiply the length in words by 4 to get the length in bytes, a suitably large length could cause a wrapround of the uint16, giving a lower length which erroneously passes the check and allows the buffer to be mapped. Part-of: <https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/-/merge_requests/864>
This commit is contained in:
parent
57a23786f3
commit
ac72a6adaa
2 changed files with 25 additions and 1 deletions
|
@ -369,7 +369,7 @@ gst_rtp_buffer_map (GstBuffer * buffer, GstMapFlags flags, GstRTPBuffer * rtp)
|
||||||
/* calc extension length when present. */
|
/* calc extension length when present. */
|
||||||
if (data[0] & 0x10) {
|
if (data[0] & 0x10) {
|
||||||
guint8 *extdata;
|
guint8 *extdata;
|
||||||
guint16 extlen;
|
gsize extlen;
|
||||||
|
|
||||||
/* find memory for the extension bits, we find the block for the first 4
|
/* find memory for the extension bits, we find the block for the first 4
|
||||||
* bytes, all other extension bytes should also be in this block */
|
* bytes, all other extension bytes should also be in this block */
|
||||||
|
|
|
@ -2152,6 +2152,29 @@ GST_START_TEST (test_rtcp_compound_padding)
|
||||||
|
|
||||||
GST_END_TEST;
|
GST_END_TEST;
|
||||||
|
|
||||||
|
GST_START_TEST (test_rtp_buffer_extlen_wraparound)
|
||||||
|
{
|
||||||
|
GstBuffer *buf;
|
||||||
|
guint8 rtp_test_buffer[] = {
|
||||||
|
0x90, 0x7c, 0x18, 0xa6, /* |V=2|P|X|CC|M|PT|sequence number| */
|
||||||
|
0x7a, 0x62, 0x17, 0x0f, /* |timestamp| */
|
||||||
|
0x70, 0x23, 0x91, 0x38, /* |synchronization source (SSRC) identifier| */
|
||||||
|
0xbe, 0xde, 0x40, 0x01, /* |0xBE|0xDE|length=16385| */
|
||||||
|
0x00, 0x00, 0x00, 0x00, /* |0 (pad)|0 (pad)|0 (pad)|0 (pad)| */
|
||||||
|
0x00, 0x00, 0x00, 0x00, /* |0 (pad)|0 (pad)|0 (pad)|0 (pad)| */
|
||||||
|
0xff, 0xff, 0xff, 0xff /* |dummy payload| */
|
||||||
|
};
|
||||||
|
|
||||||
|
GstRTPBuffer rtp = GST_RTP_BUFFER_INIT;
|
||||||
|
|
||||||
|
buf = gst_buffer_new_and_alloc (sizeof (rtp_test_buffer));
|
||||||
|
gst_buffer_fill (buf, 0, rtp_test_buffer, sizeof (rtp_test_buffer));
|
||||||
|
fail_if (gst_rtp_buffer_map (buf, GST_MAP_READ, &rtp));
|
||||||
|
gst_buffer_unref (buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
GST_END_TEST;
|
||||||
|
|
||||||
static Suite *
|
static Suite *
|
||||||
rtp_suite (void)
|
rtp_suite (void)
|
||||||
{
|
{
|
||||||
|
@ -2205,6 +2228,7 @@ rtp_suite (void)
|
||||||
test_ext_timestamp_wraparound_disordered_cannot_unwrap);
|
test_ext_timestamp_wraparound_disordered_cannot_unwrap);
|
||||||
|
|
||||||
tcase_add_test (tc_chain, test_rtcp_compound_padding);
|
tcase_add_test (tc_chain, test_rtcp_compound_padding);
|
||||||
|
tcase_add_test (tc_chain, test_rtp_buffer_extlen_wraparound);
|
||||||
|
|
||||||
return s;
|
return s;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue