[Opalvoip-svn] SF.net SVN: opalvoip:[26909] opal/trunk/src/rtp/rtp.cxx

[<rjo...@us...>]

Revision: 26909
          http://opalvoip.svn.sourceforge.net/opalvoip/?rev=26909&view=rev
Author:   rjongbloed
Date:     2012-01-30 12:40:33 +0000 (Mon, 30 Jan 2012)
Log Message:
-----------
Make sure when decoding multiple header extensions it does not decode beyond the total size of the extensions.

Modified Paths:
--------------
    opal/trunk/src/rtp/rtp.cxx

Modified: opal/trunk/src/rtp/rtp.cxx
===================================================================
--- opal/trunk/src/rtp/rtp.cxx	2012-01-30 12:23:08 UTC (rev 26908)
+++ opal/trunk/src/rtp/rtp.cxx	2012-01-30 12:40:33 UTC (rev 26909)
@@ -224,11 +224,12 @@
 
   BYTE * ptr = (BYTE *)&theArray[MinHeaderSize + 4*GetContribSrcCount()];
   id = *(PUInt16b *)ptr;
-  ptr += 4;
+  int extensionSize = *(PUInt16b *)(ptr += 2) * 4;
+  ptr += 2;
 
   if (idx < 0) {
     // RFC 3550 format
-    length = *(PUInt16b *)(ptr += 2);
+    length = extensionSize;
     return ptr + 2;
   }
 
@@ -238,14 +239,19 @@
       switch (*ptr & 0xf) {
         case 0 :
           ++ptr;
+          --extensionSize;
           break;
 
         case 15 :
           return NULL;
 
         default :
-          ptr += (*ptr >> 4)+2;
+          int len = (*ptr >> 4)+2;
+          ptr += len;
+          extensionSize -= len;
       }
+      if (extensionSize <= 0)
+        return NULL;
     }
 
     id = *ptr >> 4;
@@ -256,8 +262,11 @@
   if ((id&0xfff0) == 0x1000) {
     // RFC 5285 two byte format
     while (idx-- > 0) {
-      if (*ptr++ != 0)
-        ptr += *ptr + 1;
+      if (*ptr++ != 0) {
+        int len = *ptr + 1;
+        ptr += len;
+        extensionSize -= len;
+      }
     }
 
     id = *ptr++;

This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.