From 7a709c0e85eb938a052b74fb39ebcaf5981f84be Mon Sep 17 00:00:00 2001
From: Ilya Nikolaevskiy <ilnik@webrtc.org>
Date: Fri, 17 Jan 2020 16:40:02 +0100
Subject: [PATCH] RtpReferenceFrameFinder: protect against crashes due to large
 temporal idx value on the wire

Bug: chromium:1042933
Change-Id: Ide37812a73b72e744f45b671918dc9817775e1f4
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166463
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30307}
---
 modules/video_coding/rtp_frame_reference_finder.cc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 1f4bcc7a89..873e71a1b0 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -289,6 +289,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp8(
     return ManageFramePidOrSeqNum(frame, codec_header.pictureId);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporalIdx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = codec_header.pictureId % kPicIdLength;
 
   if (last_picture_id_ == -1)
@@ -433,6 +437,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9(
     return ManageFramePidOrSeqNum(frame, codec_header.picture_id);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporal_idx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.spatial_layer = codec_header.spatial_idx;
   frame->inter_layer_predicted = codec_header.inter_layer_predicted;
   frame->id.picture_id = codec_header.picture_id % kPicIdLength;
@@ -688,6 +696,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameH264(
   if (tid == kNoTemporalIdx)
     return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId);
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (tid >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = frame->last_seq_num();
 
   if (frame->frame_type() == VideoFrameType::kVideoFrameKey) {