From 6c4b486ce6023ea06ea0773e3e043fb36918b695 Mon Sep 17 00:00:00 2001 From: Ilya Nikolaevskiy Date: Fri, 17 Jan 2020 16:40:02 +0100 Subject: [Backport] CVE-2020-6389 - Out of bounds write in WebRTC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manual backport of patch originally reviewed on https://webrtc-review.googlesource.com/c/src/+/166463: RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire Bug: chromium:1042933 Change-Id: I262c26961a35a6005e05738b5ed296d69f4cecda Reviewed-by: Jüri Valdmann --- .../webrtc/modules/video_coding/rtp_frame_reference_finder.cc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc index 62f8d7d8a1f..936f53f395b 100644 --- a/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc +++ b/chromium/third_party/webrtc/modules/video_coding/rtp_frame_reference_finder.cc @@ -281,6 +281,9 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp8( codec_header.tl0PicIdx == kNoTl0PicIdx) { return ManageFramePidOrSeqNum(frame, codec_header.pictureId); } + // Protect against corrupted packets with arbitrary large temporal idx. + if (codec_header.temporalIdx >= kMaxTemporalLayers) + return kDrop; frame->id.picture_id = codec_header.pictureId % kPicIdLength; @@ -431,6 +434,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9( return ManageFramePidOrSeqNum(frame, codec_header.picture_id); } + // Protect against corrupted packets with arbitrary large temporal idx. + if (codec_header.temporal_idx >= kMaxTemporalLayers) + return kDrop; + frame->id.spatial_layer = codec_header.spatial_idx; frame->inter_layer_predicted = codec_header.inter_layer_predicted; frame->id.picture_id = codec_header.picture_id % kPicIdLength; @@ -686,6 +693,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameH264( if (tid == kNoTemporalIdx) return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId); + // Protect against corrupted packets with arbitrary large temporal idx. + if (tid >= kMaxTemporalLayers) + return kDrop; + frame->id.picture_id = frame->last_seq_num(); if (frame->frame_type() == VideoFrameType::kVideoFrameKey) { -- cgit v1.2.1