libmediasoupclient icon indicating copy to clipboard operation
libmediasoupclient copied to clipboard
verified publisher icon versatica

Array out of bounds access when Produce() is called using the last codec in Device's caps array

Open mrosu90 opened this issue 1 year ago • 1 comments

Scenario: Load a device with 3 codec caps: opus, pcma, pcmu. Create a SendTransport & then call Produce restricting the codec by forcing pcmu. In ortc.cpp reduceCodecs will check the Device caps array, it will get to pcmu which is the third and last element (idx == 2), and call isRtxCodec on it.

if (matchCodecs(codecs[idx], const_cast<json&>(*capCodec)))
{
    filteredCodecs.push_back(codecs[idx]);
    
    if (isRtxCodec(codecs[idx + 1]))
	    filteredCodecs.push_back(codecs[idx + 1]);
    
    break;
}

This will effectively force nlohmann::json object to do an out-of-bounds access. The library guards against this by adding a null object to the end of the array:. image

This will throw further down the line when matchCodecstries to match the mimeType and it's looking for a string type not an obj type.

mrosu90 avatar May 28 '24 09:05 mrosu90

Thanks for reporting. We won't be able to fix is soon but won't forget.

ibc avatar May 28 '24 11:05 ibc