From 4cbfe4192cd5b8289f7896ce14e0bd8c4ae41a97 Mon Sep 17 00:00:00 2001 From: Ivo Creusen Date: Tue, 16 Nov 2021 11:18:10 +0000 Subject: [PATCH] Fix out-of-bounds memory access due to large number of audio channels. The number of audio channels can be configured in SDP, and can thus be set to arbitrary values by an attacker. This CL fixes an out-of-bounds memory access that could occur when the number of channels is set to a large number. Bug: chromium:1265806 Change-Id: Ic88ff6d85b978b8eb99bf03cc52457a4552e8c24 Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/237808 Reviewed-by: Jakob Ivarsson Commit-Queue: Ivo Creusen Cr-Commit-Position: refs/heads/main@{#35354} --- modules/audio_coding/neteq/neteq_impl.cc | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/modules/audio_coding/neteq/neteq_impl.cc b/modules/audio_coding/neteq/neteq_impl.cc index 7e3c4efab9..b415ff5a56 100644 --- a/modules/audio_coding/neteq/neteq_impl.cc +++ b/modules/audio_coding/neteq/neteq_impl.cc @@ -798,7 +798,19 @@ int NetEqImpl::GetAudioInternal(AudioFrame* audio_frame, RTC_DCHECK(audio_frame->muted()); // Reset() should mute the frame. playout_timestamp_ += static_cast(output_size_samples_); audio_frame->sample_rate_hz_ = fs_hz_; - audio_frame->samples_per_channel_ = output_size_samples_; + // Make sure the total number of samples fits in the AudioFrame. + size_t num_output_samples_per_channel = output_size_samples_; + size_t num_output_samples = output_size_samples_ * sync_buffer_->Channels(); + if (num_output_samples > AudioFrame::kMaxDataSizeSamples) { + RTC_LOG(LS_WARNING) << "Output array is too short. " + << AudioFrame::kMaxDataSizeSamples << " < " + << output_size_samples_ << " * " + << sync_buffer_->Channels(); + num_output_samples = AudioFrame::kMaxDataSizeSamples; + num_output_samples_per_channel = + AudioFrame::kMaxDataSizeSamples / sync_buffer_->Channels(); + } + audio_frame->samples_per_channel_ = num_output_samples_per_channel; audio_frame->timestamp_ = first_packet_ ? 0