From 845a26214d51401a8c7ef767348336eb19c662ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Erik=20Spr=C3=A5ng?= <sprang@webrtc.org>
Date: Mon, 22 Jan 2018 15:18:12 -0800
Subject: [PATCH] Prevent potential integer overflow in sps parser
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: webrtc:8275, chromium:800698
Change-Id: I4dcba8ba480cd2a1b97dc09e97f585f2b3cf3279
Reviewed-on: https://webrtc-review.googlesource.com/40443
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Reviewed-by: Magnus Jedvert <magjed@webrtc.org>
Commit-Queue: Erik Språng <sprang@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#21971}
---
 common_video/h264/sps_parser.cc          | 7 +++++++
 common_video/h264/sps_parser_unittest.cc | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/common_video/h264/sps_parser.cc b/common_video/h264/sps_parser.cc
index 2be6da2274..c921972ce0 100644
--- a/common_video/h264/sps_parser.cc
+++ b/common_video/h264/sps_parser.cc
@@ -17,6 +17,7 @@
 #include "rtc_base/bitbuffer.h"
 #include "rtc_base/logging.h"
 
+namespace {
 typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps;
 
 #define RETURN_EMPTY_ON_FAIL(x) \
@@ -24,6 +25,10 @@ typedef rtc::Optional<webrtc::SpsParser::SpsState> OptionalSps;
     return OptionalSps();       \
   }
 
+constexpr int kScalingDeltaMin = -128;
+constexpr int kScaldingDeltaMax = 127;
+}  // namespace
+
 namespace webrtc {
 
 SpsParser::SpsState::SpsState() = default;
@@ -115,6 +120,8 @@ rtc::Optional<SpsParser::SpsState> SpsParser::ParseSpsUpToVui(
               // delta_scale: se(v)
               RETURN_EMPTY_ON_FAIL(
                   buffer->ReadSignedExponentialGolomb(&delta_scale));
+              RETURN_EMPTY_ON_FAIL(delta_scale >= kScalingDeltaMin &&
+                                   delta_scale <= kScaldingDeltaMax);
               next_scale = (last_scale + delta_scale + 256) % 256;
             }
             if (next_scale != 0)
diff --git a/common_video/h264/sps_parser_unittest.cc b/common_video/h264/sps_parser_unittest.cc
index 39e6f2e362..6856c1bbf2 100644
--- a/common_video/h264/sps_parser_unittest.cc
+++ b/common_video/h264/sps_parser_unittest.cc
@@ -172,7 +172,7 @@ TEST_F(H264SpsParserTest, TestSyntheticSPSWeirdResolution) {
 }
 
 TEST_F(H264SpsParserTest, TestSampleSPSWithScalingLists) {
-  // SPS from a 1920x1080 video. Contains scaling lists (and veritcal cropping).
+  // SPS from a 1920x1080 video. Contains scaling lists (and vertical cropping).
   const uint8_t buffer[] = {0x64, 0x00, 0x2a, 0xad, 0x84, 0x01, 0x0c, 0x20,
                             0x08, 0x61, 0x00, 0x43, 0x08, 0x02, 0x18, 0x40,
                             0x10, 0xc2, 0x00, 0x84, 0x3b, 0x50, 0x3c, 0x01,