-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
failed assertion `payloadOffset < this->payloadLength': payload offset bigger than payload size #159
Comments
It happens in VP8.cpp, here: // Modify the RtpPacket payload in order to always have two byte pictureId.
if (!payloadDescriptor->hasTwoBytePictureId)
{
// Shift the RTP payload one byte from the begining of the pictureId field.
packet->ShiftPayload(2, 1, true /*expand*/);
// Set the two byte pictureId marker bit.
data[2] = 0x80;
// Update the payloadDescriptor.
payloadDescriptor->hasTwoBytePictureId = true;
} This is probably produced by Edge. AFAIR it sends rare VP8 payloads, without some fields. So basically the caller must check the payload size before calling |
Opss, no, what it happen (AFAIR) is that Edge does NOT include This is, the fact that a VP8 payload does not have I assume that, within |
It happened again in the demo server (which was updated):
|
Checking if (payloadDescriptor->i)
{
if (len < ++offset + 1)
return nullptr;
byte = data[offset];
if ((byte >> 7) & 0x01)
{
if (len < ++offset + 1)
return nullptr;
payloadDescriptor->hasTwoBytePictureId = true;
payloadDescriptor->pictureId = (byte & 0x7F) << 8;
payloadDescriptor->pictureId += data[offset];
}
else
{
payloadDescriptor->pictureId = byte & 0x7F;
}
} so this check will return true anyway: if (payloadDescriptor->i && !payloadDescriptor->hasTwoBytePictureId) |
I've commited a fix: 1528cfe However, I think there are more vulnerabilities as, |
To clarify, the fact that the original payload has bit flags set ( |
Fix + tests will be ready tomorrow. |
Comment: Whenever returning I'm working on this right now. |
OK, then the check should also verify whether |
If this I'm working on it. |
AFAIU the crash happens when the Producer mangles the packet so before any Encode() call. |
Here was the problem to this issue: 725ea8b If the Some VP8 tests have been added too. |
Also, the suggested |
The text was updated successfully, but these errors were encountered: