From 338f58d95ce6ac19b851c85e74fa780231b2a3aa Mon Sep 17 00:00:00 2001
From: Karl Wiberg <kwiberg@webrtc.org>
Date: Thu, 5 Apr 2018 11:36:57 +0200
Subject: [PATCH] iSAC decoder: Don't read past the end of the buffer of
 encoded bytes

Bug: chromium:825524
Change-Id: Iff40a9fd62a34474af71b51dd3831a16412fbf3b
Reviewed-on: https://webrtc-review.googlesource.com/66361
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Commit-Queue: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#22748}
---
 modules/audio_coding/codecs/isac/main/source/isac.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/modules/audio_coding/codecs/isac/main/source/isac.c b/modules/audio_coding/codecs/isac/main/source/isac.c
index 79dc7e2b39..525e0f3dbd 100644
--- a/modules/audio_coding/codecs/isac/main/source/isac.c
+++ b/modules/audio_coding/codecs/isac/main/source/isac.c
@@ -1266,8 +1266,10 @@ static int Decode(ISACStruct* ISAC_main_inst,
 
         /* It might be less due to garbage. */
         if ((numDecodedBytesUB != lenNextStream) &&
-            (numDecodedBytesUB != (lenNextStream -
-                encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
+            (numDecodedBytesLB + 1 + numDecodedBytesUB >= lenEncodedBytes ||
+             numDecodedBytesUB !=
+                 (lenNextStream -
+                  encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
           instISAC->errorCode = ISAC_LENGTH_MISMATCH;
           return -1;
         }