From e058568cc50ca7760a29df16a33eeb643a4e6b1d Mon Sep 17 00:00:00 2001 From: Karl Wiberg Date: Thu, 24 May 2018 15:14:07 +0200 Subject: [PATCH] iLBC decoding: Ignore a signed overflow It's always been there, and there's no security risk. Bug: chromium:843477 Change-Id: I6121943f23b477300cf60ffc4858ef0ab43466dc Reviewed-on: https://webrtc-review.googlesource.com/78782 Reviewed-by: Henrik Lundin Commit-Queue: Karl Wiberg Cr-Commit-Position: refs/heads/master@{#23393} --- modules/audio_coding/codecs/ilbc/smooth_out_data.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/modules/audio_coding/codecs/ilbc/smooth_out_data.c b/modules/audio_coding/codecs/ilbc/smooth_out_data.c index 1aa1e0a427..72b3a47790 100644 --- a/modules/audio_coding/codecs/ilbc/smooth_out_data.c +++ b/modules/audio_coding/codecs/ilbc/smooth_out_data.c @@ -18,6 +18,16 @@ #include "modules/audio_coding/codecs/ilbc/defines.h" #include "modules/audio_coding/codecs/ilbc/constants.h" +#include "rtc_base/sanitizer.h" + +// An s32 + s32 -> s32 addition that's allowed to overflow. (It's still +// undefined behavior, so not a good idea; this just makes UBSan ignore the +// violation, so that our old code can continue to do what it's always been +// doing.) +static inline int32_t RTC_NO_SANITIZE("signed-integer-overflow") + OverflowingAdd_S32_S32_To_S32(int32_t a, int32_t b) { + return a + b; +} int32_t WebRtcIlbcfix_Smooth_odata( int16_t *odata, @@ -37,7 +47,7 @@ int32_t WebRtcIlbcfix_Smooth_odata( errs=0; for(i=0;i<80;i++) { err = (psseq[i] - odata[i]) >> 3; - errs += err * err; /* errs in Q-6 */ + errs = OverflowingAdd_S32_S32_To_S32(errs, err * err); // errs in Q-6 } return errs;