in RtpFrameReferenceFinder VP9 case validate number of references in gof
number of references can't be invalid if gof was correctly parsed
from a vp9 packet, but RtpFrameReferenceFinder still better be
protected from the invalid data.
Bug: chromium:1048013
Change-Id: I548f5c87199421b7736409cbcacbec760ad799ae
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/168124
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30444}
diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 013b6e3..5007fbb 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -563,6 +563,9 @@
frame->id.picture_id);
size_t gof_idx = diff % info->gof->num_frames_in_gof;
+ if (info->gof->num_ref_pics[gof_idx] > EncodedFrame::kMaxFrameReferences) {
+ return kDrop;
+ }
// Populate references according to the scalability structure.
frame->num_references = info->gof->num_ref_pics[gof_idx];
for (size_t i = 0; i < frame->num_references; ++i) {