File tree 1 file changed +20
-4
lines changed
1 file changed +20
-4
lines changed Original file line number Diff line number Diff line change @@ -436,16 +436,32 @@ void pjmedia_rtcp_xr_rx_rtcp_xr( pjmedia_rtcp_xr_session *sess,
436436 if (rb_len ) {
437437 switch (rb_hdr -> bt ) {
438438 case BT_RR_TIME :
439- rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time * ) rb_hdr ;
439+ if ((char * )rb_hdr + sizeof (* rb_rr_time ) <=
440+ (char * )pkt + size )
441+ {
442+ rb_rr_time = (pjmedia_rtcp_xr_rb_rr_time * )rb_hdr ;
443+ }
440444 break ;
441445 case BT_DLRR :
442- rb_dlrr = (pjmedia_rtcp_xr_rb_dlrr * ) rb_hdr ;
446+ if ((char * )rb_hdr + sizeof (* rb_dlrr ) <=
447+ (char * )pkt + size )
448+ {
449+ rb_dlrr = (pjmedia_rtcp_xr_rb_dlrr * )rb_hdr ;
450+ }
443451 break ;
444452 case BT_STATS :
445- rb_stats = (pjmedia_rtcp_xr_rb_stats * ) rb_hdr ;
453+ if ((char * )rb_hdr + sizeof (* rb_stats ) <=
454+ (char * )pkt + size )
455+ {
456+ rb_stats = (pjmedia_rtcp_xr_rb_stats * )rb_hdr ;
457+ }
446458 break ;
447459 case BT_VOIP_METRICS :
448- rb_voip_mtc = (pjmedia_rtcp_xr_rb_voip_mtc * ) rb_hdr ;
460+ if ((char * )rb_hdr + sizeof (* rb_voip_mtc ) <=
461+ (char * )pkt + size )
462+ {
463+ rb_voip_mtc = (pjmedia_rtcp_xr_rb_voip_mtc * )rb_hdr ;
464+ }
449465 break ;
450466 default :
451467 break ;
You can’t perform that action at this time.
0 commit comments