From b7261fd3ae7c31269b8c282e4c4c55dd3946db45 Mon Sep 17 00:00:00 2001
From: kwiberg <kwiberg@webrtc.org>
Date: Wed, 24 Feb 2016 01:34:29 -0800
Subject: [PATCH] iSAC float: Check for end of input buffer while decoding

Previously, we relied on the encoded stream to come to an end before
the end of the buffer. This is a bad idea, since it is possible to
craft a stream that fills the buffer while decoding to less than the
expected amount of data; without the new checks introduced here, this
causes the decoder to read past the end of the input buffer.

BUG=chromium:582471, chromium:587852

Review URL: https://codereview.webrtc.org/1721593004

Cr-Commit-Position: refs/heads/master@{#11734}
---
 .../codecs/isac/main/source/arith_routines_logist.c      | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c b/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c
index eeed7ae553..a463d4853a 100644
--- a/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c
+++ b/webrtc/modules/audio_coding/codecs/isac/main/source/arith_routines_logist.c
@@ -185,11 +185,18 @@ int WebRtcIsac_DecLogisticMulti2(
   int16_t     candQ7;
   int             k;
 
+  // Position just past the end of the stream. STREAM_SIZE_MAX_60 instead of
+  // STREAM_SIZE_MAX (which is the size of the allocated buffer) because that's
+  // the limit to how much data is filled in.
+  const uint8_t* const stream_end = streamdata->stream + STREAM_SIZE_MAX_60;
+
   stream_ptr = streamdata->stream + streamdata->stream_index;
   W_upper = streamdata->W_upper;
   if (streamdata->stream_index == 0)   /* first time decoder is called for this stream */
   {
     /* read first word from bytestream */
+    if (stream_ptr + 3 >= stream_end)
+      return -1;  // Would read out of bounds. Malformed input?
     streamval = *stream_ptr << 24;
     streamval |= *++stream_ptr << 16;
     streamval |= *++stream_ptr << 8;
@@ -277,6 +284,8 @@ int WebRtcIsac_DecLogisticMulti2(
     while ( !(W_upper & 0xFF000000) )    /* W_upper < 2^24 */
     {
       /* read next byte from stream */
+      if (stream_ptr + 1 >= stream_end)
+        return -1;  // Would read out of bounds. Malformed input?
       streamval = (streamval << 8) | *++stream_ptr;
       W_upper <<= 8;
     }