RtpReferenceFrameFinder: protect against crashes due to large temporal idx value on the wire

Bug: chromium:1042933
Change-Id: Ide37812a73b72e744f45b671918dc9817775e1f4
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/166463
Reviewed-by: Sergey Silkin <ssilkin@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30307}

modules/video_coding/rtp_frame_reference_finder.cc

@@ -289,6 +289,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp8(
     return ManageFramePidOrSeqNum(frame, codec_header.pictureId);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporalIdx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = codec_header.pictureId % kPicIdLength;
 
   if (last_picture_id_ == -1)
@@ -433,6 +437,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9(
     return ManageFramePidOrSeqNum(frame, codec_header.picture_id);
   }
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (codec_header.temporal_idx >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.spatial_layer = codec_header.spatial_idx;
   frame->inter_layer_predicted = codec_header.inter_layer_predicted;
   frame->id.picture_id = codec_header.picture_id % kPicIdLength;
@@ -688,6 +696,10 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameH264(
   if (tid == kNoTemporalIdx)
     return ManageFramePidOrSeqNum(std::move(frame), kNoPictureId);
 
+  // Protect against corrupted packets with arbitrary large temporal idx.
+  if (tid >= kMaxTemporalLayers)
+    return kDrop;
+
   frame->id.picture_id = frame->last_seq_num();
 
   if (frame->frame_type() == VideoFrameType::kVideoFrameKey) {