diff options
author | Henrik Lundin <henrik.lundin@webrtc.org> | 2019-11-25 10:21:00 +0100 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2020-03-24 08:15:55 +0000 |
commit | 442f3b6715dad10b449c073744a949b304916a8d (patch) | |
tree | 3860f86ce2bed410d70c7da0e1d34750c2c3f6dd | |
parent | 86959566c4b101cfd54952fbca52fbc3d3dd9554 (diff) | |
download | qtwebengine-chromium-442f3b6715dad10b449c073744a949b304916a8d.tar.gz |
[Backport] Security bug 1016506
Manual backport of patch originally reviewed on
https://webrtc-review.googlesource.com/c/src/+/160304:
Fixing a buffer overflow in Merge::Downsample
In the unlikely event that the decoded audio is really short, the
downsampling would read outside of the decoded audio vector. This CL
fixes that, and adds a unit test that verifies the fix (when running
with ASan).
Bug: chromium:1016506
Change-Id: I498b49ab4cf376d4680049fa6b0a67d7515b0e04
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/webrtc/modules/audio_coding/neteq/merge.cc | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/chromium/third_party/webrtc/modules/audio_coding/neteq/merge.cc b/chromium/third_party/webrtc/modules/audio_coding/neteq/merge.cc index 3c9ad19d058..6b20b6e8305 100644 --- a/chromium/third_party/webrtc/modules/audio_coding/neteq/merge.cc +++ b/chromium/third_party/webrtc/modules/audio_coding/neteq/merge.cc @@ -285,19 +285,22 @@ void Merge::Downsample(const int16_t* input, num_coefficients, decimation_factor, kCompensateDelay); if (input_length <= length_limit) { // Not quite long enough, so we have to cheat a bit. - // If the input is really short, we'll just use the input length as is, and - // won't bother with correcting for the offset. This is clearly a - // pathological case, and the signal quality will suffer. - const size_t temp_len = input_length > signal_offset - ? input_length - signal_offset - : input_length; + // If the input is shorter than the offset, we consider the input to be 0 + // length. This will cause us to skip the downsampling since it makes no + // sense anyway, and input_downsampled_ will be filled with zeros. This is + // clearly a pathological case, and the signal quality will suffer, but + // there is not much we can do. + const size_t temp_len = + input_length > signal_offset ? input_length - signal_offset : 0; // TODO(hlundin): Should |downsamp_temp_len| be corrected for round-off // errors? I.e., (temp_len + decimation_factor - 1) / decimation_factor? size_t downsamp_temp_len = temp_len / decimation_factor; - WebRtcSpl_DownsampleFast(&input[signal_offset], temp_len, - input_downsampled_, downsamp_temp_len, - filter_coefficients, num_coefficients, - decimation_factor, kCompensateDelay); + if (downsamp_temp_len > 0) { + WebRtcSpl_DownsampleFast(&input[signal_offset], temp_len, + input_downsampled_, downsamp_temp_len, + filter_coefficients, num_coefficients, + decimation_factor, kCompensateDelay); + } memset(&input_downsampled_[downsamp_temp_len], 0, sizeof(int16_t) * (kInputDownsampLength - downsamp_temp_len)); } else { |