Bug 1216837: add explicit error checks for packet length in srtp r=mc…

…manus rs=jesup
dothq · Dec 5, 2015 · a94574d · a94574d
1 parent 7742360
commit a94574d
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/netwerk/srtp/src/srtp/srtp.c b/netwerk/srtp/src/srtp/srtp.c
@@ -807,6 +807,8 @@ srtp_stream_init(srtp_stream_ctx_t *srtp,
        srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
        enc_start += (ntohs(xtn_hdr->length) + 1);
      }
+     if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len))
+       return err_status_parse_err;
      enc_octet_len = (unsigned int)(*pkt_octet_len 
 				    - ((enc_start - (uint32_t *)hdr) << 2));
    } else {
@@ -1076,6 +1078,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
       enc_start += (ntohs(xtn_hdr->length) + 1);
     }  
+    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+      return err_status_parse_err;
     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
 			       - ((enc_start - (uint32_t *)hdr) << 2));
   } else {