From 75acef396265beccab231928f7b989dac3b081e3 Mon Sep 17 00:00:00 2001 From: Kuang-che Wu Date: Thu, 10 Oct 2019 19:54:45 +0800 Subject: [PATCH] Reject invalid spatial index MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We should reject invalid values explicitly in order to prevent DCHECK failures later, which affect fuzzing progress. Bug: chromium:1009172, chromium:1009073 Change-Id: I7f0dc417ecac7aab076a652143f5face2ff98da2 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/156340 Commit-Queue: Kuang-che Wu Reviewed-by: Magnus Flodman Reviewed-by: Erik Språng Cr-Commit-Position: refs/heads/master@{#29459} --- modules/rtp_rtcp/BUILD.gn | 1 + modules/rtp_rtcp/source/rtp_format_vp9.cc | 3 +++ 2 files changed, 4 insertions(+) diff --git a/modules/rtp_rtcp/BUILD.gn b/modules/rtp_rtcp/BUILD.gn index 48610bebb8..3d7eeabf10 100644 --- a/modules/rtp_rtcp/BUILD.gn +++ b/modules/rtp_rtcp/BUILD.gn @@ -236,6 +236,7 @@ rtc_static_library("rtp_rtcp") { "../../api/units:timestamp", "../../api/video:video_bitrate_allocation", "../../api/video:video_bitrate_allocator", + "../../api/video:video_codec_constants", "../../api/video:video_frame", "../../api/video:video_frame_type", "../../api/video:video_rtp_headers", diff --git a/modules/rtp_rtcp/source/rtp_format_vp9.cc b/modules/rtp_rtcp/source/rtp_format_vp9.cc index 3c40e55220..f83a12b0e2 100644 --- a/modules/rtp_rtcp/source/rtp_format_vp9.cc +++ b/modules/rtp_rtcp/source/rtp_format_vp9.cc @@ -12,6 +12,7 @@ #include +#include "api/video/video_codec_constants.h" #include "modules/rtp_rtcp/source/rtp_packet_to_send.h" #include "modules/video_coding/codecs/interface/common_constants.h" #include "rtc_base/bit_buffer.h" @@ -316,6 +317,8 @@ bool ParseLayerInfoCommon(rtc::BitBuffer* parser, RTPVideoHeaderVP9* vp9) { RETURN_FALSE_ON_ERROR(parser->ReadBits(&d_bit, 1)); vp9->temporal_idx = t; vp9->temporal_up_switch = u_bit ? true : false; + if (s >= kMaxSpatialLayers) + return false; vp9->spatial_idx = s; vp9->inter_layer_predicted = d_bit ? true : false; return true;