[Backport] Security Bug 825524

iSAC decoder: Don't read past the end of the buffer of encoded bytes Bug: chromium:825524 Change-Id: I5a31b84f3ca9c439cf7f1958cd0390c76d0472bf Reviewed-on: https://webrtc-review.googlesource.com/66361 Reviewed-by: Kai Koehne <kai.koehne@qt.io> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Michal Klocek <michal.klocek@qt.io> 2018-04-05 11:36:57 +0200
committer: Michal Klocek <michal.klocek@qt.io> 2018-06-06 12:44:17 +0000
commit: 746a5b92fae5dad5867a414a5819093b560dcee2 (patch)
tree: 0760878ad2a7d02b1525d194c121deb6c1b04619
parent: fa38dc29054d6895758bcc75e031a89597f3aaf6 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c b/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
index 79dc7e2b394..525e0f3dbd8 100644
--- a/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
+++ b/chromium/third_party/webrtc/modules/audio_coding/codecs/isac/main/source/isac.c
@@ -1266,8 +1266,10 @@ static int Decode(ISACStruct* ISAC_main_inst,
 
         /* It might be less due to garbage. */
         if ((numDecodedBytesUB != lenNextStream) &&
-            (numDecodedBytesUB != (lenNextStream -
-                encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
+            (numDecodedBytesLB + 1 + numDecodedBytesUB >= lenEncodedBytes ||
+             numDecodedBytesUB !=
+                 (lenNextStream -
+                  encoded[numDecodedBytesLB + 1 + numDecodedBytesUB]))) {
           instISAC->errorCode = ISAC_LENGTH_MISMATCH;
           return -1;
         }
author	Michal Klocek <michal.klocek@qt.io>	2018-04-05 11:36:57 +0200
committer	Michal Klocek <michal.klocek@qt.io>	2018-06-06 12:44:17 +0000
commit	746a5b92fae5dad5867a414a5819093b560dcee2 (patch)
tree	0760878ad2a7d02b1525d194c121deb6c1b04619
parent	fa38dc29054d6895758bcc75e031a89597f3aaf6 (diff)