Skip to content

gstrtpbuffer: fix header extension length validation

We validate the header extensions length of an RTP buffer by comparing it against the block size. Since we multiply the length in words by 4 to get the length in bytes, a suitably large length could cause a wrapround of the uint16, giving a lower length which erroneously passes the check and allows the buffer to be mapped.

Merge request reports

Loading