From 6f3d01c829c28d8910ad63e61693bd8b9fbba06a Mon Sep 17 00:00:00 2001
From: Karl Wiberg <kwiberg@webrtc.org>
Date: Thu, 26 Apr 2018 11:18:33 +0200
Subject: [PATCH] "Fix" signed integer overflow in old code

It's safe to ignore this overflow since it only affects audio data,
not indices or anything like that.

Bug: chromium:835637
Change-Id: I60162e4627b08d5e3ba3a21fdae8087f098c7e46
Reviewed-on: https://webrtc-review.googlesource.com/72701
Reviewed-by: Henrik Lundin <henrik.lundin@webrtc.org>
Commit-Queue: Karl Wiberg <kwiberg@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#23030}
---
 modules/audio_coding/codecs/ilbc/cb_construct.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/modules/audio_coding/codecs/ilbc/cb_construct.c b/modules/audio_coding/codecs/ilbc/cb_construct.c
index e2ae361ee3..1e9a7040c7 100644
--- a/modules/audio_coding/codecs/ilbc/cb_construct.c
+++ b/modules/audio_coding/codecs/ilbc/cb_construct.c
@@ -21,6 +21,15 @@
 #include "modules/audio_coding/codecs/ilbc/defines.h"
 #include "modules/audio_coding/codecs/ilbc/gain_dequant.h"
 #include "modules/audio_coding/codecs/ilbc/get_cd_vec.h"
+#include "rtc_base/sanitizer.h"
+
+// An arithmetic operation that is allowed to overflow. (It's still undefined
+// behavior, so not a good idea; this just makes UBSan ignore the violation, so
+// that our old code can continue to do what it's always been doing.)
+static inline int32_t RTC_NO_SANITIZE("signed-integer-overflow")
+    OverflowingAddS32S32ToS32(int32_t a, int32_t b) {
+  return a + b;
+}
 
 /*----------------------------------------------------------------*
  *  Construct decoded vector from codebook and gains.
@@ -62,7 +71,7 @@ bool WebRtcIlbcfix_CbConstruct(
   for (j=0;j<veclen;j++) {
     a32 = (*gainPtr++) * cbvec0[j];
     a32 += (*gainPtr++) * cbvec1[j];
-    a32 += (*gainPtr) * cbvec2[j];
+    a32 = OverflowingAddS32S32ToS32(a32, (*gainPtr) * cbvec2[j]);
     gainPtr -= 2;
     decvector[j] = (int16_t)((a32 + 8192) >> 14);
   }