From ef0d76ae836bf0370065fc7e1858301aa47ef1df Mon Sep 17 00:00:00 2001
From: Ilya Nikolaevskiy <ilnik@webrtc.org>
Date: Wed, 5 Feb 2020 18:01:31 +0100
Subject: [PATCH] Add more VP9 header correctness check in
 RtpFrameReferenceFinder

Bug: chromium:1049129
Change-Id: I133673d86aadd6a87b3420a04bbf45ed53841a96
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/168240
Reviewed-by: Philip Eliasson <philipel@webrtc.org>
Commit-Queue: Ilya Nikolaevskiy <ilnik@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#30466}
---
 modules/video_coding/rtp_frame_reference_finder.cc | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/modules/video_coding/rtp_frame_reference_finder.cc b/modules/video_coding/rtp_frame_reference_finder.cc
index 5007fbbc86..e67ac664b1 100644
--- a/modules/video_coding/rtp_frame_reference_finder.cc
+++ b/modules/video_coding/rtp_frame_reference_finder.cc
@@ -435,7 +435,8 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9(
   }
 
   // Protect against corrupted packets with arbitrary large temporal idx.
-  if (codec_header.temporal_idx >= kMaxTemporalLayers)
+  if (codec_header.temporal_idx >= kMaxTemporalLayers ||
+      codec_header.spatial_idx >= kMaxSpatialLayers)
     return kDrop;
 
   frame->id.spatial_layer = codec_header.spatial_idx;
@@ -477,6 +478,12 @@ RtpFrameReferenceFinder::FrameDecision RtpFrameReferenceFinder::ManageFrameVp9(
         return kDrop;
       }
 
+      for (size_t i = 0; i < codec_header.gof.num_frames_in_gof; ++i) {
+        if (codec_header.gof.num_ref_pics[i] > kMaxVp9RefPics) {
+          return kDrop;
+        }
+      }
+
       GofInfoVP9 gof = codec_header.gof;
       if (gof.num_frames_in_gof == 0) {
         RTC_LOG(LS_WARNING) << "Number of frames in GOF is zero. Assume "