commit eecf8c31fdf717b0bddf411d09e80410ab1f0edc parent ca6da02d6dd9aaf8b91c7037cdc43855f4755085 Author: Michael Froman <mfroman@mozilla.com> Date: Wed, 8 Oct 2025 18:46:28 -0500 Bug 1993083 - Vendor libwebrtc from e610d18231 Upstream commit: https://webrtc.googlesource.com/src/+/e610d18231e34f4f839900ddc9dd61e721626efc RTC_CHECK spatial index in correct range: [0-kMaxSpatialLayers) Currently the spatial index is an int even though it should be non negative. It is also checked in receiver side if spatial_id >= kMaxSpatialLayers, but doesn't protect explicitly from negative values. That in turn expose to out of bounds read/write which could be a security issue. In this CL I add an RTC_CHECK that those are in-range. Please see discussion in https://webrtc-review.googlesource.com/c/src/+/390060 with my previous attempt to mitigate this, and conclusion to add an RTC_CHECK instead of changing the spatial_id to uint32_t. Bug: webrtc:411452026 Change-Id: Ie84e8214c99eef38c43a6adafff5df0bf30c4213 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/394180 Commit-Queue: Philipp Hancke <phancke@meta.com> Reviewed-by: Danil Chapovalov <danilchap@webrtc.org> Reviewed-by: Sergey Silkin <ssilkin@webrtc.org> Cr-Commit-Position: refs/heads/main@{#45078} Diffstat:
11 files changed, 21 insertions(+), 18 deletions(-)
diff --git a/third_party/libwebrtc/README.mozilla.last-vendor b/third_party/libwebrtc/README.mozilla.last-vendor @@ -1,4 +1,4 @@ # ./mach python dom/media/webrtc/third_party_build/vendor-libwebrtc.py --from-local /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc --commit mozpatches libwebrtc -libwebrtc updated from /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-10-08T23:45:14.243596+00:00. +libwebrtc updated from /home/mfroman/mozilla/elm/.moz-fast-forward/moz-libwebrtc commit mozpatches on 2025-10-08T23:46:19.019350+00:00. # base of lastest vendoring -de20e5ec63 +e610d18231 diff --git a/third_party/libwebrtc/moz-patch-stack/s0030.patch b/third_party/libwebrtc/moz-patch-stack/s0030.patch @@ -25,10 +25,10 @@ index ae9951e6f9..c69ec1a674 100644 // See LntfConfig for description. diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index 66d213592d..7a06f1a820 100644 +index 44077918b5..18af239ab4 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc -@@ -1408,7 +1408,7 @@ void RtpVideoStreamReceiver2::StartReceive() { +@@ -1411,7 +1411,7 @@ void RtpVideoStreamReceiver2::StartReceive() { // Change REMB candidate egibility. packet_router_->RemoveReceiveRtpModule(rtp_rtcp_.get()); packet_router_->AddReceiveRtpModule(rtp_rtcp_.get(), diff --git a/third_party/libwebrtc/moz-patch-stack/s0035.patch b/third_party/libwebrtc/moz-patch-stack/s0035.patch @@ -267,7 +267,7 @@ index 40836198de..d2304e87db 100644 // DEPRECATED, transport_feedback_callback is no longer invoked by the RTP diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index 7a06f1a820..8de1772b98 100644 +index 18af239ab4..0f567621ee 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc @@ -129,7 +129,8 @@ std::unique_ptr<ModuleRtpRtcpImpl2> CreateRtpRtcpModule( diff --git a/third_party/libwebrtc/moz-patch-stack/s0037.patch b/third_party/libwebrtc/moz-patch-stack/s0037.patch @@ -15,10 +15,10 @@ Mercurial Revision: https://hg.mozilla.org/mozilla-central/rev/edac9d01a9ac7594f 3 files changed, 24 insertions(+) diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index 8de1772b98..af42c12aa4 100644 +index 0f567621ee..b23850b7f5 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc -@@ -1174,6 +1174,16 @@ std::optional<int64_t> RtpVideoStreamReceiver2::LastReceivedKeyframePacketMs() +@@ -1177,6 +1177,16 @@ std::optional<int64_t> RtpVideoStreamReceiver2::LastReceivedKeyframePacketMs() return std::nullopt; } diff --git a/third_party/libwebrtc/moz-patch-stack/s0042.patch b/third_party/libwebrtc/moz-patch-stack/s0042.patch @@ -159,10 +159,10 @@ index d2304e87db..bbdb38864e 100644 // Within this list, the sender-source SSRC pair is unique and per-pair the // ReportBlockData represents the latest Report Block that was received for diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index af42c12aa4..beb2c93f82 100644 +index b23850b7f5..50bdf6b311 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc -@@ -1179,9 +1179,10 @@ std::optional<int64_t> RtpVideoStreamReceiver2::LastReceivedKeyframePacketMs() +@@ -1182,9 +1182,10 @@ std::optional<int64_t> RtpVideoStreamReceiver2::LastReceivedKeyframePacketMs() // seem to be any support for these stats right now. So, we hack this in. void RtpVideoStreamReceiver2::RemoteRTCPSenderInfo( uint32_t* packet_count, uint32_t* octet_count, diff --git a/third_party/libwebrtc/moz-patch-stack/s0057.patch b/third_party/libwebrtc/moz-patch-stack/s0057.patch @@ -214,7 +214,7 @@ index 023f4fa5f2..9c4df5c5ea 100644 int current_delay_ms, int target_delay_ms, diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index beb2c93f82..f414c80996 100644 +index 50bdf6b311..e7652ffb89 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc @@ -286,6 +286,7 @@ RtpVideoStreamReceiver2::RtpVideoStreamReceiver2( @@ -233,7 +233,7 @@ index beb2c93f82..f414c80996 100644 packet_buffer_(kPacketBufferStartSize, PacketBufferMaxSize(env_.field_trials())), reference_finder_(std::make_unique<RtpFrameReferenceFinder>()), -@@ -1399,7 +1401,8 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { +@@ -1402,7 +1404,8 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { int64_t unwrapped_rtp_seq_num = rtp_seq_num_unwrapper_.Unwrap(seq_num); packet_infos_.erase(packet_infos_.begin(), packet_infos_.upper_bound(unwrapped_rtp_seq_num)); diff --git a/third_party/libwebrtc/moz-patch-stack/s0058.patch b/third_party/libwebrtc/moz-patch-stack/s0058.patch @@ -30,10 +30,10 @@ index e35f8babb1..7bb737f239 100644 void ReceiveStatisticsProxy::OnPreDecode(VideoCodecType codec_type, int qp) { diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index f414c80996..0f1ae9f2f5 100644 +index e7652ffb89..adc73be9f7 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc -@@ -1402,7 +1402,9 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { +@@ -1405,7 +1405,9 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { packet_infos_.erase(packet_infos_.begin(), packet_infos_.upper_bound(unwrapped_rtp_seq_num)); uint32_t num_packets_cleared = packet_buffer_.ClearTo(seq_num); diff --git a/third_party/libwebrtc/moz-patch-stack/s0059.patch b/third_party/libwebrtc/moz-patch-stack/s0059.patch @@ -166,7 +166,7 @@ index 7bb737f239..5c97607c6d 100644 } diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index 0f1ae9f2f5..c992272dfa 100644 +index adc73be9f7..f329ba390a 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc @@ -91,6 +91,7 @@ @@ -177,7 +177,7 @@ index 0f1ae9f2f5..c992272dfa 100644 #include "system_wrappers/include/ntp_time.h" #include "video/buffered_frame_decryptor.h" -@@ -1403,6 +1404,9 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { +@@ -1406,6 +1407,9 @@ void RtpVideoStreamReceiver2::FrameDecoded(int64_t picture_id) { packet_infos_.upper_bound(unwrapped_rtp_seq_num)); uint32_t num_packets_cleared = packet_buffer_.ClearTo(seq_num); if (num_packets_cleared > 0) { diff --git a/third_party/libwebrtc/moz-patch-stack/s0060.patch b/third_party/libwebrtc/moz-patch-stack/s0060.patch @@ -9,10 +9,10 @@ Mercurial Revision: https://hg.mozilla.org/mozilla-central/rev/5b2a7894ef1cf096d 1 file changed, 6 insertions(+) diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index c992272dfa..4136ae943f 100644 +index f329ba390a..f4393ce8c5 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc -@@ -827,6 +827,12 @@ void RtpVideoStreamReceiver2::OnRtpPacket(const RtpPacketReceived& packet) { +@@ -830,6 +830,12 @@ void RtpVideoStreamReceiver2::OnRtpPacket(const RtpPacketReceived& packet) { void RtpVideoStreamReceiver2::RequestKeyFrame() { RTC_DCHECK_RUN_ON(&worker_task_checker_); diff --git a/third_party/libwebrtc/moz-patch-stack/s0071.patch b/third_party/libwebrtc/moz-patch-stack/s0071.patch @@ -50,7 +50,7 @@ index 1e6678b4ee..1ed48c08d7 100644 Clock* const clock_; bool short_circuit_ RTC_GUARDED_BY(network_sequence_checker_) = false; diff --git a/video/rtp_video_stream_receiver2.cc b/video/rtp_video_stream_receiver2.cc -index 4136ae943f..ad9d51c47a 100644 +index f4393ce8c5..01fcda45d0 100644 --- a/video/rtp_video_stream_receiver2.cc +++ b/video/rtp_video_stream_receiver2.cc @@ -383,7 +383,7 @@ RtpVideoStreamReceiver2::RtpVideoStreamReceiver2( diff --git a/third_party/libwebrtc/video/rtp_video_stream_receiver2.cc b/third_party/libwebrtc/video/rtp_video_stream_receiver2.cc @@ -556,6 +556,8 @@ void RtpVideoStreamReceiver2::SetLastCorruptionDetectionIndex( const std::variant<FrameInstrumentationSyncData, FrameInstrumentationData>& frame_instrumentation_data, int spatial_idx) { + RTC_CHECK_GE(spatial_idx, 0); + RTC_CHECK_LT(spatial_idx, kMaxSpatialLayers); if (const auto* sync_data = std::get_if<FrameInstrumentationSyncData>( &frame_instrumentation_data)) { last_corruption_detection_state_by_layer_[spatial_idx].sequence_index = @@ -683,6 +685,7 @@ bool RtpVideoStreamReceiver2::OnReceivedPayloadData( std::optional<CorruptionDetectionMessage> message = rtp_packet.GetExtension<CorruptionDetectionExtension>(); if (message.has_value() && spatial_id.has_value()) { + RTC_CHECK_GE(*spatial_id, 0); if (message->sample_values().empty()) { video_header.frame_instrumentation_data = ConvertCorruptionDetectionMessageToFrameInstrumentationSyncData(