diff options
| author | Ilya Nikolaevskiy <ilnik@webrtc.org> | 2020-01-17 16:40:02 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2020-03-05 14:09:56 +0000 |
| commit | 6c4b486ce6023ea06ea0773e3e043fb36918b695 (patch) | |
| tree | c1e1168ad068f7ccf7a397a312eb26a276561ee2 | |
| parent | 51012dcb3e6ef5f59d5dcc001a00e2b087c44c97 (diff) | |
| download | qtwebengine-chromium-6c4b486ce6023ea06ea0773e3e043fb36918b695.tar.gz | |
[Backport] CVE-2020-6389 - Out of bounds write in WebRTC
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/166463:
RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire
Bug: chromium:1042933
Change-Id: I262c26961a35a6005e05738b5ed296d69f4cecda
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
| -rw-r--r-- | chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc index 62f8d7d8a1f..936f53f395b 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc @@ -281,6 +281,9 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp8( codec_header.tl0PicIdx == kNoTl0PicIdx) { return ManageFramePidOrSeqNum(frame, codec_header.pictureId); } + // Protect against corrupted packets with arbitrary large temporal idx. + if (codec_header.temporalIdx >= kMaxTemporalLayers) + return kDrop; frame->id.picture_id = codec_header.pictureId % kPicIdLength; @@ -431,6 +434,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9( return ManageFramePidOrSeqNum(frame, codec_header.picture_id); } + // Protect against corrupted packets with arbitrary large temporal idx. + if (codec_header.temporal_idx >= kMaxTemporalLayers) + return kDrop; + frame->id.spatial_layer = codec_header.spatial_idx; frame->inter_layer_predicted = codec_header.inter_layer_predicted; frame->id.picture_id = codec_header.picture_id % kPicIdLength; @@ -686,6 +693,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameH264( if (tid == kNoTemporalIdx) return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId); + // Protect against corrupted packets with arbitrary large temporal idx. + if (tid >= kMaxTemporalLayers) + return kDrop; + frame->id.picture_id = frame->last_seq_num(); if (frame->frame_type() == VideoFrameType::kVideoFrameKey) { |