From a1187025662f197b80b48393919fa3f4decbb836 Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Mon, 3 Feb 2020 10:16:48 +0100
Subject: [PATCH] in RtpFrameReferenceFinder VP9 case validate number of
 references in gof

number of references can't be invalid if gof was correctly parsed
from a vp9 packet, but RtpFrameReferenceFinder still better be
protected from the invalid data.

Bug: chromium:1048013
Change-Id: I548f5c87199421b7736409cbcacbec760ad799ae
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/168124
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30444}
---
 modules/video_coding/rtp_frame_reference_finder.cc | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 013b6e3e31..5007fbbc86 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -563,6 +563,9 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9(
                                                     frame->id.picture_id);
   size_t gof_idx = diff % info->gof->num_frames_in_gof;
 
+  if (info->gof->num_ref_pics[gof_idx] > EncodedFrame::kMaxFrameReferences) {
+    return kDrop;
+  }
   // Populate references according to the scalability structure.
   frame->num_references = info->gof->num_ref_pics[gof_idx];
   for (size_t i = 0; i < frame->num_references; ++i) {