From d7e251378b4aea7e43261e1a756a29445b891f2e Mon Sep 17 00:00:00 2001
From: Stefan Holmer <stefan@webrtc.org>
Date: Thu, 23 Nov 2017 10:36:11 +0100
Subject: [PATCH] Fix potential overflow in congestion controller fuzzer.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bug: chromium:787753
Change-Id: I43d765379216db35f3df748b16599b34bffd388f
Reviewed-on: https://webrtc-review.googlesource.com/25480
Reviewed-by: Björn Terelius <terelius@webrtc.org>
Commit-Queue: Stefan Holmer <stefan@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#20851}
---
 test/fuzzers/congestion_controller_feedback_fuzzer.cc | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/test/fuzzers/congestion_controller_feedback_fuzzer.cc b/test/fuzzers/congestion_controller_feedback_fuzzer.cc
index a7b89fc891..084c8c300a 100644
--- a/test/fuzzers/congestion_controller_feedback_fuzzer.cc
+++ b/test/fuzzers/congestion_controller_feedback_fuzzer.cc
@@ -27,8 +27,9 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
   header.ssrc = ByteReader<uint32_t>::ReadBigEndian(&data[i]);
   i += sizeof(uint32_t);
   header.extension.hasTransportSequenceNumber = true;
-  int64_t arrival_time_ms =
-      std::max<int64_t>(ByteReader<int64_t>::ReadBigEndian(&data[i]), 0);
+  int64_t arrival_time_ms = std::min<int64_t>(
+      std::max<int64_t>(ByteReader<int64_t>::ReadBigEndian(&data[i]), 0),
+      std::numeric_limits<int64_t>::max() / 2);
   i += sizeof(int64_t);
   const size_t kMinPacketSize =
       sizeof(size_t) + sizeof(uint16_t) + sizeof(uint8_t);
@@ -41,7 +42,7 @@ void FuzzOneInput(const uint8_t* data, size_t size) {
     rbe->IncomingPacket(arrival_time_ms, payload_size, header);
     clock.AdvanceTimeMilliseconds(5);
     arrival_time_ms += ByteReader<uint8_t>::ReadBigEndian(&data[i]);
-    arrival_time_ms += sizeof(uint8_t);
+    i += sizeof(uint8_t);
   }
   rbe->Process();
 }