diff options
author | Michal Klocek <michal.klocek@qt.io> | 2018-04-05 11:36:57 +0200 |
---|---|---|
committer | Michal Klocek <michal.klocek@qt.io> | 2018-06-06 12:44:17 +0000 |
commit | 746a5b92fae5dad5867a414a5819093b560dcee2 (patch) | |
tree | 0760878ad2a7d02b1525d194c121deb6c1b04619 | |
parent | fa38dc29054d6895758bcc75e031a89597f3aaf6 (diff) |
[Backport] Security Bug 825524
iSAC decoder: Don't read past the end of the buffer of encoded bytes
Bug: chromium:825524
Change-Id: I5a31b84f3ca9c439cf7f1958cd0390c76d0472bf
Reviewed-on: https://webrtc-review.googlesource.com/66361
Reviewed-by: Kai Koehne <kai.koehne@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c b/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c index 79dc7e2b394..525e0f3dbd8 100644 --- a/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c +++ b/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c @@ -1266,8 +1266,10 @@ static int Decode(ISACStruct* ISAC_main_inst, /* It might be less due to garbage. */ if ((numDecodedBytesUB != lenNextStream) && - (numDecodedBytesUB != (lenNextStream - - encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) { + (numDecodedBytesLB + 1 + numDecodedBytesUB >= lenEncodedBytes || + numDecodedBytesUB != + (lenNextStream - + encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) { instISAC->errorCode = ISAC_LENGTH_MISMATCH; return -1; } |