From 7a0e44c1a84fb4ed57a6701cfc8093756c37af6f Mon Sep 17 00:00:00 2001
From: Ilya Nikolaevskiy <ilnik@webrtc.org>
Date: Fri, 17 Jan 2020 14:15:27 +0100
Subject: [PATCH] Merge to M80: Add safety checks in
 RtpPacket::ZeroMutableExtensions and fuzz it

// Because ios_sim_x64_dbg_ios10 is broken on release brunch:
// https://bugs.chromium.org/p/webrtc/issues/detail?id=11277

TBR=nisse@webrtc.org
(cherry picked from commit db6ca7f2d7fd67b2ed37b49af442ff58171faafa)

No-Try: true
Bug: chromium:1042535
Change-Id: I0f7ef1086631b5beb2e0c89d57534d2551289117
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166441
Reviewed-by: Niels Moller <nisse@webrtc.org>
Reviewed-by: Danil Chapovalov <danilchap@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Original-Commit-Position: refs/heads/master@{#30303}
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166520
Reviewed-by: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/branch-heads/3987@{#6}
Cr-Branched-From: 1256d9bcac500d962e884231b0360d8c3eb3ef02-refs/heads/master@{#30022}
---
 modules/rtp_rtcp/source/rtp_packet.cc | 12 +++++++-----
 test/fuzzers/rtp_packet_fuzzer.cc     |  3 +++
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/modules/rtp_rtcp/source/rtp_packet.cc b/modules/rtp_rtcp/source/rtp_packet.cc
index 27c940ce49..3d86a8c47f 100644
--- a/modules/rtp_rtcp/source/rtp_packet.cc
+++ b/modules/rtp_rtcp/source/rtp_packet.cc
@@ -165,11 +165,13 @@ void RtpPacket::ZeroMutableExtensions() {
         break;
       }
       case RTPExtensionType::kRtpExtensionVideoTiming: {
-        // Nullify 3 last entries: packetization delay and 2 network timestamps.
-        // Each of them is 2 bytes.
-        memset(
-            WriteAt(extension.offset + VideoSendTiming::kPacerExitDeltaOffset),
-            0, 6);
+        // Nullify last entries, starting at pacer delay.
+        // These are set by pacer and SFUs
+        if (VideoSendTiming::kPacerExitDeltaOffset < extension.length) {
+          memset(WriteAt(extension.offset +
+                         VideoSendTiming::kPacerExitDeltaOffset),
+                 0, extension.length - VideoSendTiming::kPacerExitDeltaOffset);
+        }
         break;
       }
       case RTPExtensionType::kRtpExtensionTransportSequenceNumber:
diff --git a/test/fuzzers/rtp_packet_fuzzer.cc b/test/fuzzers/rtp_packet_fuzzer.cc
index e256eec963..25fec2c094 100644
--- a/test/fuzzers/rtp_packet_fuzzer.cc
+++ b/test/fuzzers/rtp_packet_fuzzer.cc
@@ -156,5 +156,8 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
         break;
     }
   }
+
+  // Check that zero-ing mutable extensions wouldn't cause any problems.
+  packet.ZeroMutableExtensions();
 }
 }  // namespace webrtc