Google Git
Sign in
webrtc / src / 7a709c0e85eb938a052b74fb39ebcaf5981f84be^! / .
commit7a709c0e85eb938a052b74fb39ebcaf5981f84be[log] [tgz]
authorIlya Nikolaevskiy <ilnik@webrtc.org>Fri Jan 17 15:40:02 2020
committerCommit Bot <commit-bot@chromium.org>Fri Jan 17 16:24:53 2020
tree41a98a15a1b39fd5cfbe37d3f23b953ff4930c2a
parent81dcfda82367296274557fc116ab6537962a6fc9 [diff]
RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire

Bug: chromium:1042933
Change-Id: Ide37812a73b72e744f45b671918dc9817775e1f4
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166463
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30307}

diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 1f4bcc7..873e71a 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc

@@ -289,6 +289,10 @@
     return ManageFramePidOrSeqNum(frame, codec_header.pictureId);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporalIdx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = codec_header.pictureId % kPicIdLength;
 
   if (last_picture_id_ == -1)
@@ -433,6 +437,10 @@
     return ManageFramePidOrSeqNum(frame, codec_header.picture_id);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporal_idx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.spatial_layer = codec_header.spatial_idx;
   frame->inter_layer_predicted = codec_header.inter_layer_predicted;
   frame->id.picture_id = codec_header.picture_id % kPicIdLength;
@@ -688,6 +696,10 @@
   if (tid == kNoTemporalIdx)
     return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId);
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (tid >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = frame->last_seq_num();
 
   if (frame->frame_type() == VideoFrameType::kVideoFrameKey) {