From b4a70ed643d3978beaf3dc588ff73249abf30491 Mon Sep 17 00:00:00 2001
From: Ilya Nikolaevskiy <ilnik@webrtc.org>
Date: Tue, 23 Apr 2019 10:37:06 +0200
Subject: [PATCH] Fix potential crash in FrameBuffer::IsCompleteSuperFrame

According to crash reports, crash happens at the line with nothing but
|next_frame->second.frame->is_last_spatial_layer|.

Probably, |frames_| contains entries with empty frame unique_ptr.
This CL adds checks to not dereference those empty pointers.

Bug: chromium:955040
Change-Id: I3060f9e1af8bfc3c8a079c14107b5b4a82f5d015
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/133626
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#27706}
---
 modules/video_coding/frame_buffer2.cc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/modules/video_coding/frame_buffer2.cc b/modules/video_coding/frame_buffer2.cc
index 20b680e170..c846477067 100644
--- a/modules/video_coding/frame_buffer2.cc
+++ b/modules/video_coding/frame_buffer2.cc
@@ -407,14 +407,15 @@ bool FrameBuffer::IsCompleteSuperFrame(const EncodedFrame& frame) {
     RTC_DCHECK_GT(id.spatial_layer, 0);
     --id.spatial_layer;
     FrameMap::iterator prev_frame = frames_.find(id);
-    if (prev_frame == frames_.end())
+    if (prev_frame == frames_.end() || !prev_frame->second.frame)
       return false;
     while (prev_frame->second.frame->inter_layer_predicted) {
       if (prev_frame == frames_.begin())
         return false;
       --prev_frame;
       --id.spatial_layer;
-      if (prev_frame->first.picture_id != id.picture_id ||
+      if (!prev_frame->second.frame ||
+          prev_frame->first.picture_id != id.picture_id ||
           prev_frame->first.spatial_layer != id.spatial_layer) {
         return false;
       }
@@ -426,12 +427,12 @@ bool FrameBuffer::IsCompleteSuperFrame(const EncodedFrame& frame) {
     VideoLayerFrameId id = frame.id;
     ++id.spatial_layer;
     FrameMap::iterator next_frame = frames_.find(id);
-    if (next_frame == frames_.end())
+    if (next_frame == frames_.end() || !next_frame->second.frame)
       return false;
     while (!next_frame->second.frame->is_last_spatial_layer) {
       ++next_frame;
       ++id.spatial_layer;
-      if (next_frame == frames_.end() ||
+      if (next_frame == frames_.end() || !next_frame->second.frame ||
           next_frame->first.picture_id != id.picture_id ||
           next_frame->first.spatial_layer != id.spatial_layer) {
         return false;