aboutsummaryrefslogtreecommitdiffstats
path: root/main/libnice/0002-avoid-potential-integer-overflow.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libnice/0002-avoid-potential-integer-overflow.patch')
-rw-r--r--main/libnice/0002-avoid-potential-integer-overflow.patch32
1 files changed, 32 insertions, 0 deletions
diff --git a/main/libnice/0002-avoid-potential-integer-overflow.patch b/main/libnice/0002-avoid-potential-integer-overflow.patch
new file mode 100644
index 0000000000..d1e2fdf3e9
--- /dev/null
+++ b/main/libnice/0002-avoid-potential-integer-overflow.patch
@@ -0,0 +1,32 @@
+From 6b1eec0630516698ac9cd3343ef7eb8515fee231 Mon Sep 17 00:00:00 2001
+From: Jakub Adam <jakub.adam@collabora.com>
+Date: Thu, 3 Jan 2019 21:26:41 +0100
+Subject: [PATCH] udp-turn: Avoid potential integer overflow
+
+---
+ socket/udp-turn.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/socket/udp-turn.c b/socket/udp-turn.c
+index 1bc5e031..c3b152d1 100644
+--- a/socket/udp-turn.c
++++ b/socket/udp-turn.c
+@@ -362,7 +362,7 @@ socket_recv_messages (NiceSocket *sock,
+ guint f_buffer_len = priv->fragment_buffer->len;
+
+ for (i = 0; i < n_recv_messages && f_buffer_len >= sizeof (guint16); ++i) {
+- guint16 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
++ guint32 msg_len = ((f_buffer[0] << 8) | f_buffer[1]) + sizeof (guint16);
+
+ if (msg_len > f_buffer_len) {
+ /* The next message in the buffer isn't complete yet. Wait for more
+@@ -450,7 +450,7 @@ socket_recv_messages (NiceSocket *sock,
+ if (nice_socket_is_reliable (sock) && parsed_buffer_length > 0) {
+ /* Determine the portion of the current NiceInputMessage we can already
+ * return. */
+- guint16 msg_len = 0;
++ gint32 msg_len = 0;
+ if (!priv->fragment_buffer) {
+ msg_len = ((buffer[0] << 8) | buffer[1]) + sizeof (guint16);
+ if (msg_len > parsed_buffer_length) {
+
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-05 08:20:59 +0000