diff options
| author | Michal Klocek <michal.klocek@qt.io> | 2018-05-07 18:33:01 +0200 |
|---|---|---|
| committer | Michal Klocek <michal.klocek@qt.io> | 2018-09-10 09:14:53 +0000 |
| commit | 2f39c3c96581af205a10d6b577c510cc4a4b3df7 (patch) | |
| tree | 02a7d7cedcede63ebbdcdfefaf7a6de5c043d67c | |
| parent | aeeeb134caa1e4789f690f99ee26751715867186 (diff) | |
[Backport] CVE-2018-6129
VP9 temporal index bounds check.
Merge to M67.
Bug: chromium:838672
Reviewed-on: https://webrtc-review.googlesource.com/73701
Change-Id: If715de60d416a4f164dc62e6cc67ff40b7e10e86
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc | 6 | ||||
| -rw-r--r-- | chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc | 16 |
2 files changed, 22 insertions, 0 deletions
diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc index 48b7ce8e577..81df0cc64e4 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc @@ -508,6 +508,12 @@ bool RtpFrameReferenceFinder::MissingRequiredFrameVp9(uint16_t picture_id, size_t gof_idx = diff % info.gof->num_frames_in_gof; size_t temporal_idx = info.gof->temporal_idx[gof_idx]; + if (temporal_idx >= kMaxTemporalLayers) { + LOG(LS_WARNING) << "At most " << kMaxTemporalLayers << " temporal " + << "layers are supported."; + return true; + } + // For every reference this frame has, check if there is a frame missing in // the interval (|ref_pid|, |picture_id|) in any of the lower temporal // layers. If so, we are missing a required frame. diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc index 928785c107f..2d6588825c9 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder_unittest.cc @@ -1453,5 +1453,21 @@ TEST_F(TestRtpFrameReferenceFinder, Vp9PidFix_DropOldFrame) { CheckReferencesVp9(129, 0); } +TEST_F(TestRtpFrameReferenceFinder, Vp9GofTidTooHigh) { + // Same as RtpFrameReferenceFinder::kMaxTemporalLayers. + const int kMaxTemporalLayers = 5; + uint16_t pid = Rand(); + uint16_t sn = Rand(); + GofInfoVP9 ss; + ss.SetGofInfoVP9(kTemporalStructureMode2); + ss.temporal_idx[1] = kMaxTemporalLayers; + + InsertVp9Gof(sn, sn, true, pid, 0, 0, 0, false, &ss); + InsertVp9Gof(sn + 1, sn + 1, false, pid + 1, 0, 0, 1); + + ASSERT_EQ(1UL, frames_from_callback_.size()); + CheckReferencesVp9(0, 0); +} + } // namespace video_coding } // namespace webrtc |