Fixing invalid IPv6 address parsing stack underflow on Windows. Occurred when parsing an address with more than 7 colons. For example: 1::2:3:4:5:6:7::8 BUG=webrtc:7592 Review-Url: https://codereview.webrtc.org/2867653002 Cr-Commit-Position: refs/heads/master@{#18054}

commit: 966963ac7d62bdac051eacae234495fd355919e6 [log] [tgz]
author: deadbeef <deadbeef@webrtc.org> Mon May 08 11:35:56 2017 -0700
committer: Commit bot <commit-bot@chromium.org> Mon May 08 18:35:56 2017 +0000
tree: 4399bab5aaa90ec9f4ad1bdc606453c7d9a9aafe
parent: 90bdb3d138eaa10627c156b5487ffb4397f48359 [diff] [blame]
diff --git a/webrtc/base/win32.cc b/webrtc/base/win32.cc
index 485f7a6..89970ec 100644
--- a/webrtc/base/win32.cc
+++ b/webrtc/base/win32.cc

@@ -276,6 +276,11 @@
             ++coloncounter;
           }
           // (coloncount + 1) is the number of shorts left in the address.
+          // If this number is greater than the number of available shorts, the
+          // address is malformed.
+          if (coloncount + 1 > addr_end - addr_cursor) {
+            return 0;
+          }
           addr_cursor = addr_end - (coloncount + 1);
           seencompressed = true;
         }
@@ -285,7 +290,7 @@
     } else {
       uint16_t word;
       int bytesread = 0;
-      if (sscanf(readcursor, "%hx%n", &word, &bytesread) != 1) {
+      if (sscanf(readcursor, "%4hx%n", &word, &bytesread) != 1) {
         return 0;
       } else {
         *addr_cursor = HostToNetwork16(word);
commit	966963ac7d62bdac051eacae234495fd355919e6	[log] [tgz]
author	deadbeef <deadbeef@webrtc.org>	Mon May 08 11:35:56 2017 -0700
committer	Commit bot <commit-bot@chromium.org>	Mon May 08 18:35:56 2017 +0000
tree	4399bab5aaa90ec9f4ad1bdc606453c7d9a9aafe
parent	90bdb3d138eaa10627c156b5487ffb4397f48359 [diff] [blame]