Skip to content

Commit f74c1fc

Browse files
authored
Merge pull request from GHSA-r374-qrwv-86hh
1 parent 833c983 commit f74c1fc

File tree

1 file changed

+20
-4
lines changed

1 file changed

+20
-4
lines changed

Diff for: pjmedia/src/pjmedia/rtcp_xr.c

+20-4
Original file line numberDiff line numberDiff line change
@@ -436,16 +436,32 @@ void pjmedia_rtcp_xr_rx_rtcp_xr( pjmedia_rtcp_xr_session *sess,
436436
if (rb_len) {
437437
switch (rb_hdr->bt) {
438438
case BT_RR_TIME:
439-
rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time*) rb_hdr;
439+
if ((char*)rb_hdr + sizeof(*rb_rr_time) <=
440+
(char*)pkt + size)
441+
{
442+
rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time*)rb_hdr;
443+
}
440444
break;
441445
case BT_DLRR:
442-
rb_dlrr = (pjmedia_rtcp_xr_rb_dlrr*) rb_hdr;
446+
if ((char*)rb_hdr + sizeof(*rb_dlrr) <=
447+
(char*)pkt + size)
448+
{
449+
rb_dlrr = (pjmedia_rtcp_xr_rb_dlrr*)rb_hdr;
450+
}
443451
break;
444452
case BT_STATS:
445-
rb_stats = (pjmedia_rtcp_xr_rb_stats*) rb_hdr;
453+
if ((char*)rb_hdr + sizeof(*rb_stats) <=
454+
(char*)pkt + size)
455+
{
456+
rb_stats = (pjmedia_rtcp_xr_rb_stats*)rb_hdr;
457+
}
446458
break;
447459
case BT_VOIP_METRICS:
448-
rb_voip_mtc = (pjmedia_rtcp_xr_rb_voip_mtc*) rb_hdr;
460+
if ((char*)rb_hdr + sizeof(*rb_voip_mtc) <=
461+
(char*)pkt + size)
462+
{
463+
rb_voip_mtc = (pjmedia_rtcp_xr_rb_voip_mtc*)rb_hdr;
464+
}
449465
break;
450466
default:
451467
break;

0 commit comments

Comments
 (0)