fix: rtcp_xr_unpack death-loop

ireader · ireader · commit 0472df2d4316 · 2024-06-10T10:29:03.000+08:00
diff --git a/librtp/source/rtcp-xr.c b/librtp/source/rtcp-xr.c
@@ -581,6 +581,7 @@ static int rtcp_xr_ecn_pack(const rtcp_ecn_t* ecn, uint8_t* ptr, uint32_t bytes)
 void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const uint8_t* ptr, size_t bytes)
 {
     int r;
+    size_t len;
     struct rtcp_msg_t msg;
     struct rtp_member* sender;
 
@@ -600,8 +601,11 @@ void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const
     bytes -= 4;
     while (bytes >= 4)
     {
-        msg.type = RTCP_XR | (ptr[0] << 8);
+        len = nbo_r16(ptr + 2);
+        if (len * 4 > bytes - 4)
+            break; // invalid
 
+        msg.type = RTCP_XR | (ptr[0] << 8);
         switch (ptr[0])
         {
         case RTCP_XR_LRLE:
@@ -633,6 +637,9 @@ void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const
             r = 0; // ignore
             break;
         }
+
+        ptr += len;
+        bytes -= len;
     }
 
     return;

Original file line number	Diff line number	Diff line change
`@@ -581,6 +581,7 @@ static int rtcp_xr_ecn_pack(const rtcp_ecn_t* ecn, uint8_t* ptr, uint32_t bytes)`
`581`	`581`	`void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const uint8_t* ptr, size_t bytes)`
`582`	`582`	`{`
`583`	`583`	`int r;`
	`584`	`+ size_t len;`
`584`	`585`	`struct rtcp_msg_t msg;`
`585`	`586`	`struct rtp_member* sender;`
`586`	`587`
`@@ -600,8 +601,11 @@ void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const`
`600`	`601`	`bytes -= 4;`
`601`	`602`	`while (bytes >= 4)`
`602`	`603`	`{`
`603`		`- msg.type = RTCP_XR \| (ptr[0] << 8);`
	`604`	`+ len = nbo_r16(ptr + 2);`
	`605`	`+ if (len * 4 > bytes - 4)`
	`606`	`+ break; // invalid`
`604`	`607`
	`608`	`+ msg.type = RTCP_XR \| (ptr[0] << 8);`
`605`	`609`	`switch (ptr[0])`
`606`	`610`	`{`
`607`	`611`	`case RTCP_XR_LRLE:`
`@@ -633,6 +637,9 @@ void rtcp_xr_unpack(struct rtp_context* ctx, const rtcp_header_t* header, const`
`633`	`637`	`r = 0; // ignore`
`634`	`638`	`break;`
`635`	`639`	`}`
	`640`	`+`
	`641`	`+ ptr += len;`
	`642`	`+ bytes -= len;`
`636`	`643`	`}`
`637`	`644`
`638`	`645`	`return;`