diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2018-05-07 18:33:01 +0200 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2018-06-05 14:13:23 +0000 |
| commit | c1daae1d02178800e8095d99fc30bfcb7f720927 (patch) | |
| tree | 6de2bfeace09632b8379083ed1272cfb700c95c7 | |
| parent | b1b895ec4743fd7151a403a61ed8c202b92e1c4c (diff) | |
[Backport] CVE-2018-6129
VP9 temporal index bounds check.
Merge to M67.
Bug: chromium:838672
Reviewed-on: https://webrtc-review.googlesource.com/73701
Change-Id: I4e956347db789451241e433c06d11aab45fa6ea5
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc | 6 | ||||
| -rw-r--r-- | chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc | 16 |
2 files changed, 22 insertions, 0 deletions
diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc index c8cfcfe0c8f..dce35549d61 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc @@ -532,6 +532,12 @@ bool RtpFrameReferenceFinder::MissingRequiredFrameVp9(uint16_t picture_id, size_t gof_idx = diff % info.gof->num_frames_in_gof; size_t temporal_idx = info.gof->temporal_idx[gof_idx]; + if (temporal_idx >= kMaxTemporalLayers) { + RTC_LOG(LS_WARNING) << "At most " << kMaxTemporalLayers << " temporal " + << "layers are supported."; + return true; + } + // For every reference this frame has, check if there is a frame missing in // the interval (|ref_pid|, |picture_id|) in any of the lower temporal // layers. If so, we are missing a required frame. diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc index f670197371e..1eeb6cf88ec 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc @@ -1330,5 +1330,21 @@ TEST_F(TestRtpFrameReferenceFinder, Vp9GofPidJump) { InsertVp9Gof(sn + 1, sn + 1, false, pid + 1000, 0, 0, 1); } +TEST_F(TestRtpFrameReferenceFinder, Vp9GofTidTooHigh) { + // Same as RtpFrameReferenceFinder::kMaxTemporalLayers. + const int kMaxTemporalLayers = 5; + uint16_t pid = Rand(); + uint16_t sn = Rand(); + GofInfoVP9 ss; + ss.SetGofInfoVP9(kTemporalStructureMode2); + ss.temporal_idx[1] = kMaxTemporalLayers; + + InsertVp9Gof(sn, sn, true, pid, 0, 0, 0, false, &ss); + InsertVp9Gof(sn + 1, sn + 1, false, pid + 1, 0, 0, 1); + + ASSERT_EQ(1UL, frames_from_callback_.size()); + CheckReferencesVp9(0, 0); +} + } // namespace video_coding } // namespace webrtc |