From 606fc8cdf8a57451a3979bacd6fbfeb6ca21837f Mon Sep 17 00:00:00 2001 From: Michal Klocek Date: Tue, 5 Jun 2018 12:46:38 +0200 Subject: [Backport] CVE-2018-6130 Reland "Check that iterator is valid before dereferencing in RtpFrameReferenceFinder." This reverts commit 1998d56bf17b598fba506cd602a6b0dcc1f663a5. Reason for revert: Creating fix for previously broken CL. Bug: chromium:838402 Reviewed-on: https://webrtc-review.googlesource.com/76480 Change-Id: I682b3c30dc45c3bbec3b58bb419c46ac79fa71ce Reviewed-by: Allan Sandfeld Jensen --- .../webrtc/modules/video_coding/rtp_frame_reference_finder.cc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc index dce35549d61..b2511351f5f 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc @@ -461,8 +461,12 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9( RTC_LOG(LS_WARNING) << "Received keyframe without scalability structure"; frame->num_references = 0; - GofInfo info = gof_info_.find(codec_header.tl0_pic_idx)->second; - FrameReceivedVp9(frame->picture_id, &info); + auto gof_info_it = gof_info_.find(codec_header.tl0_pic_idx); + if (gof_info_it == gof_info_.end()) + return kDrop; + + FrameReceivedVp9(frame->picture_id, &gof_info_it->second); + UnwrapPictureIds(frame); return kHandOff; } -- cgit v1.2.3