[Backport] CVE-2022-2294: Heap buffer overflow in WebRTC (2/2)

Cherry-pick of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/267628:
Ignore RID that appears without an a=simulcast entry

RID is defined for multiple usages in RFC 8851, but we only support
usage with a=simulcast as specified in RFC 8853.

Bug: chromium:1341043
Change-Id: Ie72074c5b394bdc41865938a86ec9c7629e1f5e0
Commit-Queue: Harald Alvestrand <hta@webrtc.org>
Cr-Commit-Position: refs/heads/main@{#37417}
(cherry picked from commit 1c5808145e8b151800b0320b8a7316a09b706488)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 5 insertions, 2 deletions

diff --git a/chromium/third_party/webrtc/pc/webrtc_sdp.cc b/chromium/third_party/webrtc/pc/webrtc_sdp.cc
index 3a1b6a12bb0..4295f4e9ad2 100644
--- a/chromium/third_party/webrtc/pc/webrtc_sdp.cc
+++ b/chromium/third_party/webrtc/pc/webrtc_sdp.cc
@@ -3293,7 +3293,6 @@ bool ParseContent(const std::string& message,
 
   // If simulcast is specifed, split the rids into send and receive.
   // Rids that do not appear in simulcast attribute will be removed.
-  // If it is not specified, we assume that all rids are for send layers.
   std::vector<RidDescription> send_rids;
   std::vector<RidDescription> receive_rids;
   if (!simulcast.empty()) {
@@ -3320,7 +3319,11 @@ bool ParseContent(const std::string& message,
 
     media_desc->set_simulcast_description(simulcast);
   } else {
-    send_rids = rids;
+    // RID is specified in RFC 8851, which identifies a lot of usages.
+    // We only support RFC 8853 usage of RID, not anything else.
+    // Ignore all RID parameters when a=simulcast is missing.
+    // In particular do NOT do send_rids = rids;
+    RTC_LOG(LS_VERBOSE) << "Ignoring send_rids without simulcast";
   }
 
   media_desc->set_receive_rids(receive_rids);