From d52bef7d6445070532b3c8463859ee4e1f99d70f Mon Sep 17 00:00:00 2001
From: kwiberg <kwiberg@webrtc.org>
Date: Tue, 6 Sep 2016 06:16:03 -0700
Subject: [PATCH] iSAC float: Handle errors in upper band decoding

We hit a fuzzer bug that caused numDecodedBytesLB + numDecodedBytesUB
> lenEncodedBytes, which is obviously bogus. Check for that, and for
the case whhere the UB decoder itself realized that something was
wrong. (The code already makes the corresponding check for the LB
decoder.)

BUG=chromium:637899

Review-Url: https://codereview.webrtc.org/2315693002
Cr-Commit-Position: refs/heads/master@{#14091}
---
 .../audio_coding/codecs/isac/main/source/isac.c       | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c b/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
index e59f16f2c1..bf1cff4019 100644
--- a/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
+++ b/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
@@ -1253,6 +1253,17 @@ static int Decode(ISACStruct* ISAC_main_inst,
             return -1;
         }
 
+        if (numDecodedBytesUB < 0) {
+          instISAC->errorCode = numDecodedBytesUB;
+          return -1;
+        }
+        if (numDecodedBytesLB + numDecodedBytesUB > lenEncodedBytes) {
+          // We have supposedly decoded more bytes than we were given. Likely
+          // caused by bad input data.
+          instISAC->errorCode = ISAC_LENGTH_MISMATCH;
+          return -1;
+        }
+
         /* It might be less due to garbage. */
         if ((numDecodedBytesUB != lenNextStream) &&
             (numDecodedBytesUB != (lenNextStream -