From 6882a3f7d04865975f4c5eeee76fe324f3141521 Mon Sep 17 00:00:00 2001 From: Danil Chapovalov Date: Tue, 20 Jul 2021 15:02:55 +0000 Subject: [PATCH] Discard over large DataRates in VideoLayersAllocation rtp header extension Bug: b/193170077 Change-Id: I427718daa70910dbaf7f2e1f3d88d3dce4f27c7a Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/226561 Reviewed-by: Emil Lundmark Commit-Queue: Danil Chapovalov Cr-Commit-Position: refs/heads/master@{#34520} --- .../source/rtp_video_layers_allocation_extension.cc | 7 +++++-- .../rtp_video_layers_allocation_extension_unittest.cc | 7 +++++++ 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc index 93fb235dcd..234ac31b8b 100644 --- a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc +++ b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension.cc @@ -354,10 +354,13 @@ bool RtpVideoLayersAllocationExtension::Parse( // Target bitrates. for (auto& layer : allocation->active_spatial_layers) { for (DataRate& rate : layer.target_bitrate_per_temporal_layer) { - rate = DataRate::KilobitsPerSec(ReadLeb128(read_at, end)); - if (read_at == nullptr) { + uint64_t bitrate_kbps = ReadLeb128(read_at, end); + // bitrate_kbps might represent larger values than DataRate type, + // discard unreasonably large values. + if (read_at == nullptr || bitrate_kbps > 1'000'000) { return false; } + rate = DataRate::KilobitsPerSec(bitrate_kbps); } } diff --git a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc index 92e5673441..17b4c4cfa6 100644 --- a/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc +++ b/modules/rtp_rtcp/source/rtp_video_layers_allocation_extension_unittest.cc @@ -249,5 +249,12 @@ TEST(RtpVideoLayersAllocationExtension, RtpVideoLayersAllocationExtension::Write(buffer, written_allocation)); } +TEST(RtpVideoLayersAllocationExtension, DiscardsOverLargeDataRate) { + constexpr uint8_t buffer[] = {0x4b, 0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xcb, 0x78, 0xeb, 0x8d, 0xb5, 0x31}; + VideoLayersAllocation allocation; + EXPECT_FALSE(RtpVideoLayersAllocationExtension::Parse(buffer, &allocation)); +} + } // namespace } // namespace webrtc