[Opalvoip-svn] SF.net SVN: opalvoip:[26909] opal/trunk/src/rtp/rtp.cxx
Brought to you by:
csoutheren,
rjongbloed
From: <rjo...@us...> - 2012-01-30 12:40:44
|
Revision: 26909 http://opalvoip.svn.sourceforge.net/opalvoip/?rev=26909&view=rev Author: rjongbloed Date: 2012-01-30 12:40:33 +0000 (Mon, 30 Jan 2012) Log Message: ----------- Make sure when decoding multiple header extensions it does not decode beyond the total size of the extensions. Modified Paths: -------------- opal/trunk/src/rtp/rtp.cxx Modified: opal/trunk/src/rtp/rtp.cxx =================================================================== --- opal/trunk/src/rtp/rtp.cxx 2012-01-30 12:23:08 UTC (rev 26908) +++ opal/trunk/src/rtp/rtp.cxx 2012-01-30 12:40:33 UTC (rev 26909) @@ -224,11 +224,12 @@ BYTE * ptr = (BYTE *)&theArray[MinHeaderSize + 4*GetContribSrcCount()]; id = *(PUInt16b *)ptr; - ptr += 4; + int extensionSize = *(PUInt16b *)(ptr += 2) * 4; + ptr += 2; if (idx < 0) { // RFC 3550 format - length = *(PUInt16b *)(ptr += 2); + length = extensionSize; return ptr + 2; } @@ -238,14 +239,19 @@ switch (*ptr & 0xf) { case 0 : ++ptr; + --extensionSize; break; case 15 : return NULL; default : - ptr += (*ptr >> 4)+2; + int len = (*ptr >> 4)+2; + ptr += len; + extensionSize -= len; } + if (extensionSize <= 0) + return NULL; } id = *ptr >> 4; @@ -256,8 +262,11 @@ if ((id&0xfff0) == 0x1000) { // RFC 5285 two byte format while (idx-- > 0) { - if (*ptr++ != 0) - ptr += *ptr + 1; + if (*ptr++ != 0) { + int len = *ptr + 1; + ptr += len; + extensionSize -= len; + } } id = *ptr++; This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site. |