From ee31f0a7d5ed564cd12704e000b9ccabf9266f03 Mon Sep 17 00:00:00 2001 From: "henrik.lundin" Date: Tue, 16 Feb 2016 08:42:07 -0800 Subject: [PATCH] Fix out-of-buffer read in iLBC In some cases, the decoder can read outside of an allocated array. See the new comment in the code for more details. BUG=chromium:568889, webrtc:5305 Review URL: https://codereview.webrtc.org/1700973002 Cr-Commit-Position: refs/heads/master@{#11637} --- .../audio_coding/codecs/ilbc/create_augmented_vec.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c index 8ae28ac3b9..6b2307c237 100644 --- a/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c +++ b/webrtc/modules/audio_coding/codecs/ilbc/create_augmented_vec.c @@ -18,6 +18,7 @@ #include "defines.h" #include "constants.h" +#include "webrtc/common_audio/signal_processing/include/signal_processing_library.h" /*----------------------------------------------------------------* * Recreate a specific codebook vector from the augmented part. @@ -53,5 +54,15 @@ void WebRtcIlbcfix_CreateAugmentedVec( /* copy the second noninterpolated part */ ppo = buffer - index; - WEBRTC_SPL_MEMCPY_W16(cbVec+index,ppo,(SUBL-index)); + /* |tempbuff2| is declared in WebRtcIlbcfix_GetCbVec and is SUBL+5 elements + long. |buffer| points one element past the end of that vector, i.e., at + tempbuff2+SUBL+5. Since ppo=buffer-index, we cannot read any more than + |index| elements from |ppo|. + + |cbVec| is declared to be SUBL elements long in WebRtcIlbcfix_CbConstruct. + Therefore, we can only write SUBL-index elements to cbVec+index. + + These two conditions limit the number of elements to copy. + */ + WEBRTC_SPL_MEMCPY_W16(cbVec+index, ppo, WEBRTC_SPL_MIN(SUBL-index, index)); }