From 04716291b630cea37a2053078cfe1365103ad67a Mon Sep 17 00:00:00 2001
From: Randell Jesup <rjesup@jesup.org>
Date: Sat, 5 Dec 2015 11:06:40 -0500
Subject: [PATCH] Bug 1216837: add explicit error checks for packet length in
 srtp r=mcmanus rs=jesup

---
 netwerk/srtp/src/srtp/srtp.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/netwerk/srtp/src/srtp/srtp.c b/netwerk/srtp/src/srtp/srtp.c
index cdb05b8cfe4..4d83707f981 100644
--- a/netwerk/srtp/src/srtp/srtp.c
+++ b/netwerk/srtp/src/srtp/srtp.c
@@ -807,6 +807,8 @@ srtp_stream_init(srtp_stream_ctx_t *srtp,
        srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
        enc_start += (ntohs(xtn_hdr->length) + 1);
      }
+     if (!((uint8_t*)enc_start <= (uint8_t*)hdr + *pkt_octet_len))
+       return err_status_parse_err;
      enc_octet_len = (unsigned int)(*pkt_octet_len 
 				    - ((enc_start - (uint32_t *)hdr) << 2));
    } else {
@@ -1076,6 +1078,8 @@ srtp_unprotect(srtp_ctx_t *ctx, void *srtp_hdr, int *pkt_octet_len) {
       srtp_hdr_xtnd_t *xtn_hdr = (srtp_hdr_xtnd_t *)enc_start;
       enc_start += (ntohs(xtn_hdr->length) + 1);
     }  
+    if (!((uint8_t*)enc_start < (uint8_t*)hdr + (*pkt_octet_len - tag_len)))
+      return err_status_parse_err;
     enc_octet_len = (uint32_t)(*pkt_octet_len - tag_len 
 			       - ((enc_start - (uint32_t *)hdr) << 2));
   } else {