Discard over large DataRates in VideoLayersAllocation rtp header extension
Bug: b/193170077
Change-Id: I427718daa70910dbaf7f2e1f3d88d3dce4f27c7a
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/226561
Reviewed-by: Emil Lundmark <lndmrk@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#34520}
diff --git a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc
index 93fb235..234ac31 100644
--- a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc
+++ b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc
@@ -354,10 +354,13 @@
// Target bitrates.
for (auto& layer : allocation->active_spatial_layers) {
for (DataRate& rate : layer.target_bitrate_per_temporal_layer) {
- rate = DataRate::KilobitsPerSec(ReadLeb128(read_at, end));
- if (read_at == nullptr) {
+ uint64_t bitrate_kbps = ReadLeb128(read_at, end);
+ // bitrate_kbps might represent larger values than DataRate type,
+ // discard unreasonably large values.
+ if (read_at == nullptr || bitrate_kbps > 1'000'000) {
return false;
}
+ rate = DataRate::KilobitsPerSec(bitrate_kbps);
}
}
diff --git a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc
index 92e5673..17b4c4c 100644
--- a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc
+++ b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc
@@ -249,5 +249,12 @@
RtpVideoLayersAllocationExtension::Write(buffer, written_allocation));
}
+TEST(RtpVideoLayersAllocationExtension, DiscardsOverLargeDataRate) {
+ constexpr uint8_t buffer[] = {0x4b, 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xcb, 0x78, 0xeb, 0x8d, 0xb5, 0x31};
+ VideoLayersAllocation allocation;
+ EXPECT_FALSE(RtpVideoLayersAllocationExtension::Parse(buffer, &allocation));
+}
+
} // namespace
} // namespace webrtc
