commit ef0d76ae836bf0370065fc7e1858301aa47ef1df
author Ilya Nikolaevskiy <ilnik@webrtc.org> Wed Feb 05 18:01:31 2020 +0100
committer Commit Bot <commit-bot@chromium.org> Thu Feb 06 08:39:44 2020 +0000
tree cde4a9427eef93d4b3b7086c654f5eb727575690
parent e331a122aab777b03cda4121710bd0e91ff1b41c

Add more VP9 header correctness check in RtpFrameReferenceFinder

Bug: chromium:1049129
Change-Id: I133673d86aadd6a87b3420a04bbf45ed53841a96
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/168240
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30466}

modules/video_coding/rtp_frame_reference_finder.cc

diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 5007fbb..e67ac66 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -435,7 +435,8 @@
   }
 
   // Protect against corrupted packets with arbitrary large temporal idx.
-  if (codec_header.temporal_idx >= kMaxTemporalLayers)
+  if (codec_header.temporal_idx >= kMaxTemporalLayers ||
+      codec_header.spatial_idx >= kMaxSpatialLayers)
     return kDrop;
 
   frame->id.spatial_layer = codec_header.spatial_idx;
@@ -477,6 +478,12 @@
         return kDrop;
       }
 
+      for (size_t i = 0; i < codec_header.gof.num_frames_in_gof; ++i) {
+        if (codec_header.gof.num_ref_pics[i] > kMaxVp9RefPics) {
+          return kDrop;
+        }
+      }
+
       GofInfoVP9 gof = codec_header.gof;
       if (gof.num_frames_in_gof == 0) {
         RTC_LOG(LS_WARNING) << "Number of frames in GOF is zero. Assume "