Fixing integer overflow when parsing bandwidth attribute.
It's still valid SDP so just clamp it at INT_MAX.
BUG=chromium:648071
Review-Url: https://codereview.webrtc.org/2571073002
Cr-Commit-Position: refs/heads/master@{#15582}
diff --git a/webrtc/api/webrtcsdp.cc b/webrtc/api/webrtcsdp.cc
index f0e94b6..f18653d 100644
--- a/webrtc/api/webrtcsdp.cc
+++ b/webrtc/api/webrtcsdp.cc
@@ -2641,6 +2641,8 @@
<< cricket::kDataMaxBandwidth / 1000 << "kbps.";
return ParseFailed(line, description.str(), error);
}
+ // Prevent integer overflow.
+ b = std::min(b, INT_MAX / 1000);
media_desc->set_bandwidth(b * 1000);
}
}
diff --git a/webrtc/api/webrtcsdp_unittest.cc b/webrtc/api/webrtcsdp_unittest.cc
index a2d839b..32f8bba 100644
--- a/webrtc/api/webrtcsdp_unittest.cc
+++ b/webrtc/api/webrtcsdp_unittest.cc
@@ -3319,3 +3319,22 @@
ExpectParseFailure(std::string(kSdpWithSctpPortInVideoDescription),
"sctp-port");
}
+
+// Regression test for integer overflow bug:
+// https://bugs.chromium.org/p/chromium/issues/detail?id=648071
+TEST_F(WebRtcSdpTest, DeserializeLargeBandwidthLimit) {
+ JsepSessionDescription jdesc_output(kDummyString);
+
+ // Bandwidth attribute is the max signed 32-bit int, which will get
+ // multiplied by 1000 and cause int overflow if not careful.
+ const char kSdpWithLargeBandwidth[] =
+ "v=0\r\n"
+ "o=- 18446744069414584320 18446462598732840960 IN IP4 127.0.0.1\r\n"
+ "s=-\r\n"
+ "t=0 0\r\n"
+ "m=video 3457 RTP/SAVPF 120\r\n"
+ "b=AS:2147483647\r\n"
+ "foo=fail\r\n";
+
+ ExpectParseFailure(std::string(kSdpWithLargeBandwidth), "foo=fail");
+}