From f91b0b49f911a3c3996b19e7e6b31f5e982af650 Mon Sep 17 00:00:00 2001 From: saza Date: Wed, 12 Jul 2017 01:43:14 -0700 Subject: [PATCH] Set memory to all-zero floats in ExtractExtendedBlock in AEC2 if buffer is empty. This avoids a memcopy call which may corrupt audio handling and, in rare cases, crash WebRTC with a buffer over-read. BUG=webrtc:7845 Review-Url: https://codereview.webrtc.org/2980723002 Cr-Commit-Position: refs/heads/master@{#18984} --- webrtc/modules/audio_processing/aec/aec_core.cc | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/webrtc/modules/audio_processing/aec/aec_core.cc b/webrtc/modules/audio_processing/aec/aec_core.cc index 3155bad972..0eec22f4e5 100644 --- a/webrtc/modules/audio_processing/aec/aec_core.cc +++ b/webrtc/modules/audio_processing/aec/aec_core.cc @@ -206,16 +206,21 @@ void BlockBuffer::ExtractExtendedBlock(float extended_block[PART_LEN2]) { // Extract the previous block. WebRtc_MoveReadPtr(buffer_, -1); - WebRtc_ReadBuffer(buffer_, reinterpret_cast(&block_ptr), - &extended_block[0], 1); - if (block_ptr != &extended_block[0]) { + size_t read_elements = WebRtc_ReadBuffer( + buffer_, reinterpret_cast(&block_ptr), &extended_block[0], 1); + if (read_elements == 0u) { + std::fill_n(&extended_block[0], PART_LEN, 0.0f); + } else if (block_ptr != &extended_block[0]) { memcpy(&extended_block[0], block_ptr, PART_LEN * sizeof(float)); } // Extract the current block. - WebRtc_ReadBuffer(buffer_, reinterpret_cast(&block_ptr), - &extended_block[PART_LEN], 1); - if (block_ptr != &extended_block[PART_LEN]) { + read_elements = + WebRtc_ReadBuffer(buffer_, reinterpret_cast(&block_ptr), + &extended_block[PART_LEN], 1); + if (read_elements == 0u) { + std::fill_n(&extended_block[PART_LEN], PART_LEN, 0.0f); + } else if (block_ptr != &extended_block[PART_LEN]) { memcpy(&extended_block[PART_LEN], block_ptr, PART_LEN * sizeof(float)); } }