Add boundary checks

Author: deiteris

alvr/server/cpp/alvr_server/ClientConnection.cpp

@@ -32,7 +32,7 @@ void sendHeaders(uint8_t **buf, int *len, int nalNum) {
 	int headersLen = 0;
 	int foundHeaders = -1; // Offset by 1 header to find the length until the next header
 	while (b != end) {
-		if (memcmp(b, NAL_HEADER, sizeof(NAL_HEADER)) == 0) {
+		if (b + sizeof(NAL_HEADER) <= end && memcmp(b, NAL_HEADER, sizeof(NAL_HEADER)) == 0) {
 			foundHeaders++;
 			if (foundHeaders == nalNum) {
 				break;
@@ -58,11 +58,16 @@ void processH264Nals(uint8_t **buf, int *len) {
 	uint8_t *b = *buf;
 	int l = *len;
 	uint8_t nalType = b[4] & 0x1F;
-	
+
 	if (nalType == H264_NAL_TYPE_AUD) {
-		b += sizeof(NAL_HEADER) + 2;
-		l -= sizeof(NAL_HEADER) + 2;
-		nalType = b[4] & 0x1F;
+		uint8_t nalSize = sizeof(NAL_HEADER) + 2;
+		if (l >= nalSize) {
+			b += nalSize;
+			l -= nalSize;
+		}
+		if (l > sizeof(NAL_HEADER)) {
+			nalType = b[4] & 0x1F;
+		}
 	}
 	if (nalType == H264_NAL_TYPE_SPS) {
 		sendHeaders(&b, &l, 2); // 2 headers SPS and PPS
@@ -75,11 +80,16 @@ void processH265Nals(uint8_t **buf, int *len) {
 	uint8_t *b = *buf;
 	int l = *len;
 	uint8_t nalType = (b[4] >> 1) & 0x3F;
-	
+
 	if (nalType == H265_NAL_TYPE_AUD) {
-		b += sizeof(NAL_HEADER) + 3;
-		l -= sizeof(NAL_HEADER) + 3;
-		nalType = (b[4] >> 1) & 0x3F;
+		uint8_t nalSize = sizeof(NAL_HEADER) + 3;
+		if (l >= nalSize) {
+			b += nalSize;
+			l -= nalSize;
+		}
+		if (l > sizeof(NAL_HEADER)) {
+			nalType = (b[4] >> 1) & 0x3F;
+		}
 	}
 	if (nalType == H265_NAL_TYPE_VPS) {
 		sendHeaders(&b, &l, 3); // 3 headers VPS, SPS and PPS
@@ -92,6 +102,10 @@ void ClientConnection::SendVideo(uint8_t *buf, int len, uint64_t targetTimestamp
 	// Report before the frame is packetized
 	ReportEncoded(targetTimestampNs);
 
+	if (len < sizeof(NAL_HEADER)) {
+		return;
+	}
+
 	int codec = Settings::Instance().m_codec;
 	if (codec == ALVR_CODEC_H264) {
 		processH264Nals(&buf, &len);