From f67e3ed240fc741cd56cff20f8f08ebb8cdd5203 Mon Sep 17 00:00:00 2001
From: sauwming <ming@teluu.com>
Date: Wed, 11 Sep 2024 15:59:10 +0800
Subject: [PATCH] Fixed length check for RTCP FB SLI and RPSI parsing (#4069)

---
 pjmedia/src/pjmedia/rtcp_fb.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pjmedia/src/pjmedia/rtcp_fb.c b/pjmedia/src/pjmedia/rtcp_fb.c
index 15c4668be..ecb243ed6 100644
--- a/pjmedia/src/pjmedia/rtcp_fb.c
+++ b/pjmedia/src/pjmedia/rtcp_fb.c
@@ -704,7 +704,8 @@ PJ_DEF(pj_status_t) pjmedia_rtcp_fb_parse_sli(
         return PJ_ETOOSMALL;
     }
 
-    cnt = pj_ntohs((pj_uint16_t)hdr->rtcp_common.length) - 2;
+    cnt = pj_ntohs((pj_uint16_t)hdr->rtcp_common.length);
+    if (cnt > 2) cnt -= 2; else cnt = 0;
     if (length < (cnt+3)*4)
         return PJ_ETOOSMALL;
 
@@ -755,7 +756,9 @@ PJ_DEF(pj_status_t) pjmedia_rtcp_fb_parse_rpsi(
         return PJ_ETOOSMALL;
     }
 
-    rpsi_len = (pj_ntohs((pj_uint16_t)hdr->rtcp_common.length)-2) * 4;
+    rpsi_len = pj_ntohs((pj_uint16_t)hdr->rtcp_common.length);
+    if (rpsi_len > 2) rpsi_len -= 2; else rpsi_len = 0;
+    rpsi_len *= 4;
     if (length < rpsi_len + 12)
         return PJ_ETOOSMALL;