Add more VP9 header correctness check in RtpFrameReferenceFinder
Bug: chromium:1049129
Change-Id: I133673d86aadd6a87b3420a04bbf45ed53841a96
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/168240
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30466}
diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 5007fbb..e67ac66 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -435,7 +435,8 @@
}
// Protect against corrupted packets with arbitrary large temporal idx.
- if (codec_header.temporal_idx >= kMaxTemporalLayers)
+ if (codec_header.temporal_idx >= kMaxTemporalLayers ||
+ codec_header.spatial_idx >= kMaxSpatialLayers)
return kDrop;
frame->id.spatial_layer = codec_header.spatial_idx;
@@ -477,6 +478,12 @@
return kDrop;
}
+ for (size_t i = 0; i < codec_header.gof.num_frames_in_gof; ++i) {
+ if (codec_header.gof.num_ref_pics[i] > kMaxVp9RefPics) {
+ return kDrop;
+ }
+ }
+
GofInfoVP9 gof = codec_header.gof;
if (gof.num_frames_in_gof == 0) {
RTC_LOG(LS_WARNING) << "Number of frames in GOF is zero. Assume "