RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire
Bug: chromium:1042933
Change-Id: Ide37812a73b72e744f45b671918dc9817775e1f4
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166463
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30307}
diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 1f4bcc7..873e71a 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -289,6 +289,10 @@
return ManageFramePidOrSeqNum(frame, codec_header.pictureId);
}
+ // Protect against corrupted packets with arbitrary large temporal idx.
+ if (codec_header.temporalIdx >= kMaxTemporalLayers)
+ return kDrop;
+
frame->id.picture_id = codec_header.pictureId % kPicIdLength;
if (last_picture_id_ == -1)
@@ -433,6 +437,10 @@
return ManageFramePidOrSeqNum(frame, codec_header.picture_id);
}
+ // Protect against corrupted packets with arbitrary large temporal idx.
+ if (codec_header.temporal_idx >= kMaxTemporalLayers)
+ return kDrop;
+
frame->id.spatial_layer = codec_header.spatial_idx;
frame->inter_layer_predicted = codec_header.inter_layer_predicted;
frame->id.picture_id = codec_header.picture_id % kPicIdLength;
@@ -688,6 +696,10 @@
if (tid == kNoTemporalIdx)
return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId);
+ // Protect against corrupted packets with arbitrary large temporal idx.
+ if (tid >= kMaxTemporalLayers)
+ return kDrop;
+
frame->id.picture_id = frame->last_seq_num();
if (frame->frame_type() == VideoFrameType::kVideoFrameKey) {