Merge pull request #96 from negbie/master

negbie · web-flow · commit 0df024d750a6 · 2018-12-07T09:26:39.000+01:00
Fix bug found by fuzzer
diff --git a/protos/fuzz.go b/protos/fuzz.go
@@ -0,0 +1,18 @@
+// +build gofuzz
+
+package protos
+
+// To run the fuzzer, first download go-fuzz:
+// go get github.com/dvyukov/go-fuzz/...
+//
+// Then build the testing package:
+// go-fuzz-build github.com/negbie/heplify/protos
+//
+// And run the fuzzer
+//
+// go-fuzz -bin=fuzz-protos.zip -workdir=workdir
+
+func Fuzz(data []byte) int {
+	ParseRTCP(data)
+	return 0
+}
diff --git a/protos/rtcp.go b/protos/rtcp.go
@@ -197,7 +197,7 @@ func ParseRTCP(data []byte) (ssrcBytes []byte, rtcpPkt []byte, infoMsg string) {
 	offset := 0
 
 	for dataLen > 0 {
-		if dataLen < 4 || dataLen > 576 || offset >= len(data) {
+		if dataLen < 4 || dataLen > 768 || offset > len(data)-4 {
 			infoMsg = fmt.Sprintf("Fishy RTCP dataLen=%d, offset=%d in packet:\n% X", dataLen, offset, data)
 			break
 		}

Original file line number	Diff line number	Diff line change
`@@ -197,7 +197,7 @@ func ParseRTCP(data []byte) (ssrcBytes []byte, rtcpPkt []byte, infoMsg string) {`
`197`	`197`	`offset := 0`
`198`	`198`
`199`	`199`	`for dataLen > 0 {`
`200`		`- if dataLen < 4 \|\| dataLen > 576 \|\| offset >= len(data) {`
	`200`	`+ if dataLen < 4 \|\| dataLen > 768 \|\| offset > len(data)-4 {`
`201`	`201`	`infoMsg = fmt.Sprintf("Fishy RTCP dataLen=%d, offset=%d in packet:\n% X", dataLen, offset, data)`
`202`	`202`	`break`
`203`	`203`	`}`