Added limit to elapsed time in paced sender.

Added sanity checks to interval budget to protect against integer
overflow. To avoid tests failing due to initializing paced sender
in another time domain, the elapsed time that is input into the
interval budget is limited to max 2 seconds.

Bug: webrtc:8942
Change-Id: I9ed32f059e65df7898c37bb34a008189ce79dc60
Reviewed-on: https://webrtc-review.googlesource.com/58087
Reviewed-by: Tommi <tommi@webrtc.org>
Commit-Queue: Sebastian Jansson <srte@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22220}

modules/pacing/interval_budget.cc

@@ -8,10 +8,11 @@
  *  be found in the AUTHORS file in the root of the source tree.
  */
 
-#include "modules/pacing/interval_budget.h"
-
 #include <algorithm>
 
+#include "modules/pacing/interval_budget.h"
+#include "rtc_base/numerics/safe_conversions.h"
+
 namespace webrtc {
 namespace {
 constexpr int kWindowMs = 500;
@@ -34,7 +35,7 @@ void IntervalBudget::set_target_rate_kbps(int target_rate_kbps) {
 }
 
 void IntervalBudget::IncreaseBudget(int64_t delta_time_ms) {
-  int bytes = target_rate_kbps_ * delta_time_ms / 8;
+  int bytes = rtc::dchecked_cast<int>(target_rate_kbps_ * delta_time_ms / 8);
   if (bytes_remaining_ < 0 || can_build_up_underuse_) {
     // We overused last interval, compensate this interval.
     bytes_remaining_ = std::min(bytes_remaining_ + bytes, max_bytes_in_budget_);
@@ -56,7 +57,8 @@ size_t IntervalBudget::bytes_remaining() const {
 int IntervalBudget::budget_level_percent() const {
   if (max_bytes_in_budget_ == 0)
     return 0;
-  return bytes_remaining_ * 100 / max_bytes_in_budget_;
+  return rtc::dchecked_cast<int>(int64_t{bytes_remaining_} * 100 /
+                                 max_bytes_in_budget_);
 }
 
 int IntervalBudget::target_rate_kbps() const {

modules/pacing/paced_sender.cc

@@ -35,6 +35,7 @@ namespace {
 // Time limit in milliseconds between packet bursts.
 const int64_t kMinPacketLimitMs = 5;
 const int64_t kPausedPacketIntervalMs = 500;
+const int64_t kMaxElapsedTimeMs = 2000;
 
 // Upper cap on process interval, in case process has not been called in a long
 // time.
@@ -260,7 +261,12 @@ void PacedSender::Process() {
   rtc::CritScope cs(&critsect_);
   time_last_process_us_ = now_us;
   int64_t elapsed_time_ms = (now_us - last_send_time_us_ + 500) / 1000;
-
+  if (elapsed_time_ms > kMaxElapsedTimeMs) {
+    RTC_LOG(LS_WARNING) << "Elapsed time (" << elapsed_time_ms
+                        << " ms) longer than expected, limiting to "
+                        << kMaxElapsedTimeMs << " ms";
+    elapsed_time_ms = kMaxElapsedTimeMs;
+  }
   // When paused we send a padding packet every 500 ms to ensure we won't get
   // stuck in the paused state due to no feedback being received.
   if (paused_) {